GHSA-3V45-F3VH-WG7M

Vulnerability from github – Published: 2026-06-19 19:35 – Updated: 2026-06-19 19:35
VLAI
Summary
Oj: Stack Buffer Overflow in Oj.dump via Large Indent
Details

Summary

Oj.dump is vulnerable to a stack-based buffer overflow when a large :indent value is provided by the developer. fill_indent in dump.h calls memset(indent_str, ' ', (size_t)opts->indent) without validating the size. When opts->indent is set to INT_MAX (2,147,483,647), the (size_t) cast preserves the large value and memset writes 2 GB into the stack-allocated out buffer (4,184 bytes), corrupting the stack and crashing the process.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/dump.h
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/dump.h, line 77:

static void fill_indent(Out out, int depth) {
    if (0 < out->opts->indent) {
        size_t len = (size_t)(out->opts->indent * depth);
        // ...
        memset(out->buf + ..., ' ', len);  // len = 2147483647 * depth

The indent option is accepted as a plain Ruby integer and stored as int without range validation. Multiplying by depth can produce a value larger than any stack or heap buffer.

ASAN report:

==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278
WRITE of size 2147483647 at 0x7fd1fc201278 thread T0
    #0 memset
    #1 fill_indent  /ext/oj/dump.h:77
    #2 dump_array   /ext/oj/dump_compat.c:165
    #3 oj_dump_obj_to_json_using_params  /ext/oj/dump.c:818
    #4 dump_body    /ext/oj/oj.c:1429
    #5 dump         /ext/oj/oj.c:1480
Address is in stack of thread T0 at offset 4728 in frame:
    #0 dump /ext/oj/oj.c:1453
  [544, 4728) 'out'  <== Memory access at offset 4728 overflows this variable

Reproduce

require "oj"
obj = [0]
Oj.dump(obj, mode: :compat, indent: 2_147_483_647)

Workaround

The develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.17.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54502"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-121"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T19:35:27Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, \u0027 \u0027, (size_t)opts-\u003eindent)` without validating the size. When `opts-\u003eindent` is set to `INT_MAX` (2,147,483,647), the `(size_t)` cast preserves the large value and `memset` writes 2 GB into the stack-allocated `out` buffer (4,184 bytes), corrupting the stack and crashing the process.\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/dump.h`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\n`ext/oj/dump.h`, line 77:\n\n```c\nstatic void fill_indent(Out out, int depth) {\n    if (0 \u003c out-\u003eopts-\u003eindent) {\n        size_t len = (size_t)(out-\u003eopts-\u003eindent * depth);\n        // ...\n        memset(out-\u003ebuf + ..., \u0027 \u0027, len);  // len = 2147483647 * depth\n```\n\nThe `indent` option is accepted as a plain Ruby integer and stored as `int` without range validation. Multiplying by `depth` can produce a value larger than any stack or heap buffer.\n\nASAN report:\n```\n==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278\nWRITE of size 2147483647 at 0x7fd1fc201278 thread T0\n    #0 memset\n    #1 fill_indent  /ext/oj/dump.h:77\n    #2 dump_array   /ext/oj/dump_compat.c:165\n    #3 oj_dump_obj_to_json_using_params  /ext/oj/dump.c:818\n    #4 dump_body    /ext/oj/oj.c:1429\n    #5 dump         /ext/oj/oj.c:1480\nAddress is in stack of thread T0 at offset 4728 in frame:\n    #0 dump /ext/oj/oj.c:1453\n  [544, 4728) \u0027out\u0027  \u003c== Memory access at offset 4728 overflows this variable\n```\n\n### Reproduce\n\n```ruby\nrequire \"oj\"\nobj = [0]\nOj.dump(obj, mode: :compat, indent: 2_147_483_647)\n```\n\n### Workaround\n\nThe develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.",
  "id": "GHSA-3v45-f3vh-wg7m",
  "modified": "2026-06-19T19:35:27Z",
  "published": "2026-06-19T19:35:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-3v45-f3vh-wg7m"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oj: Stack Buffer Overflow in Oj.dump via Large Indent"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…