{
  "root_cause": "Uninitialized 256-byte stack buffer `buf` passed to rb_intern3() instead of the correctly-populated heap buffer `b` in the long-key (len>=254) branch of form_attr().",
  "vulnerable_sink": {
    "file": "ext/oj/intern.c",
    "function": "form_attr",
    "line": 72,
    "code_before": "id = rb_intern3(buf, len + 1, oj_utf8_encoding);",
    "code_after": "id = rb_intern3(b, len + 1, oj_utf8_encoding);"
  },
  "duplicate_sink": {
    "file": "ext/oj/usual.c",
    "function": "form_attr",
    "line": 66,
    "status": "already_fixed",
    "fix_commit": "ec368dbe936ef0104b782e4b0f67b17d6c7276f7",
    "fix_is_ancestor_of_vulnerable_version": true,
    "note": "Same buf/b confusion pattern; fixed before v3.17.2 was tagged. intern.c is a missed duplicate."
  },
  "reachable_paths": [
    {
      "path": "Oj.load(:object) -> object.c:oj_set_obj_ivar -> intern.c:oj_attr_intern -> cache.c:cache_intern -> intern.c:form_attr",
      "reaches_vulnerable_sink": true,
      "reaches_duplicate_sink": false,
      "vulnerable_version_leaks": true,
      "fixed_version_leaks": false
    }
  ],
  "non_reaching_paths": [
    {"path": "Oj.load(:compat)/:rails -> compat.c (oj_calc_hash_key + json_create)", "reason": "does not call form_attr or oj_attr_intern"},
    {"path": "Oj.load(:strict)/:null -> strict.c (rb_intern3 from parsed key)", "reason": "no stack buffer; reads directly from parsed key"},
    {"path": "Oj.load(:wab) -> wab.c (oj_sym_intern -> form_sym)", "reason": "form_sym builds a Ruby String first; no stack buffer"},
    {"path": "Oj.load(:custom) -> custom.c (oj_calc_hash_key)", "reason": "does not call form_attr"},
    {"path": "Oj::Parser.new(:usual) + create_id -> usual.c get_attr_id -> usual.c form_attr", "reason": "reaches the already-fixed usual.c copy, not intern.c; dynamic key buffer (no uninitialized stack read)"},
    {"path": "Oj::Parser.new(:object)", "reason": "unimplemented // TBD placeholder (parser.c:1263)"}
  ],
  "equivalence_class": "form_attr long-key buf/b variable confusion (uninitialized stack memory read)",
  "distinct_variants_found": 0,
  "bypasses_found": 0,
  "conclusion": "The fix (intern.c buf->b) closes the only reachable copy of the vulnerable sink. The duplicate copy (usual.c) was already fixed before the vulnerable version. No other code path reaches the sink. Root-cause equivalence analysis confirms there is no additional variant or bypass."
}
