CVE-2026-54502
Oj: Stack Buffer Overflow in Oj.dump via Large Indent
描述
### Summary `Oj.dump` is vulnerable to a stack-based buffer overflow when a large `:indent` value is provided by the developer. `fill_indent` in `dump.h` calls `memset(indent_str, ' ', (size_t)opts->indent)` without validating the size. When `opts->indent` is set to `INT_MAX` (2,147,483,647), the `(size_t)` cast preserves the large value and `memset` writes 2 GB into the stack-allocated `out` buffer (4,184 bytes), corrupting the stack and crashing the process. ### Version - **Software**: oj gem - **Affected**: all versions with `ext/oj/dump.h` - **Latest tested**: 3.17.1 (confirmed present) ### Details `ext/oj/dump.h`, line 77: ```c static void fill_indent(Out out, int depth) { if (0 < out->opts->indent) { size_t len = (size_t)(out->opts->indent * depth); // ... memset(out->buf + ..., ' ', len); // len = 2147483647 * depth ``` The `indent` option is accepted as a plain Ruby integer and stored as `int` without range validation. Multiplying by `depth` can produce a value larger than any stack or heap buffer. ASAN report: ``` ==69820==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd1fc201278 WRITE of size 2147483647 at 0x7fd1fc201278 thread T0 #0 memset #1 fill_indent /ext/oj/dump.h:77 #2 dump_array /ext/oj/dump_compat.c:165 #3 oj_dump_obj_to_json_using_params /ext/oj/dump.c:818 #4 dump_body /ext/oj/oj.c:1429 #5 dump /ext/oj/oj.c:1480 Address is in stack of thread T0 at offset 4728 in frame: #0 dump /ext/oj/oj.c:1453 [544, 4728) 'out' <== Memory access at offset 4728 overflows this variable ``` ### Reproduce ```ruby require "oj" obj = [0] Oj.dump(obj, mode: :compat, indent: 2_147_483_647) ``` ### Workaround The develop should not use extreme indents and should not offer the option for users to dump Ruby data with unlimited indentation size.
如何修補 CVE-2026-54502
要修補 CVE-2026-54502,請將受影響套件升級到下列已修補版本。
- —升級至 3.17.3 或更新版本
CVE-2026-54502 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-54502 既不在 CISA KEV 也沒有最新的 EPSS 分數。