json 2.19.3 → 2.19.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3182d9103a2ee3b673b923a4789e947a9cddb850f870f7fdb54d93f3bd1a5493
-  data.tar.gz: 0ee85345c9e1c99223f9cc3e859e4a7295f40f88461ca0f47059cfcc4e80154c
+  metadata.gz: 48a111e63867f6bb2c0cb1b2740a898f3102bc07ac196136e26ca9b68f510f89
+  data.tar.gz: 2f760d8afae80555c483afaaa8bead26f045d26c394cc07843a85deaff7fdd40
 SHA512:
-  metadata.gz: dedf64066bc4017b977330468b01613ce1d4a78c267b38519b7ef2705368e5d73187b64ca99777afaf900cc5f58523a722833e83c0ee011944bf15b34c33479e
-  data.tar.gz: c187fa755e0a7bd2e2ddb74498062a8138ac4882630713e3372886b5648a22a453b1a388174038b2d4144a724e1d44d5b444b190e49e3e7eb2047d8b98eef0a8
+  metadata.gz: 6387b2c483c8f4d7ed304f33a3553a2fde78c04efeff7ae32a1e952380df92d6df87b543c22832907b007f758f09bd2f80ef4db0b5753e46fdf73f0e264e9e02
+  data.tar.gz: c3c855b9e460768f83516914580c10854ea2b28ee73976e311ce55a0d2265576f65a23c41cccc47c7443d79883658962d1cf923880685d555b3af1ba0ebcb056

data/CHANGES.md

@@ -2,13 +2,17 @@
 
 ### Unreleased
 
+### 2026-04-19 (2.19.4)
+
+* Fix parsing of out of range floats (very large exponents that lead ot either `0.0` or `Inf`).
+
 ### 2026-03-25 (2.19.3)
 
 * Fix handling of unescaped control characters preceeded by a backslash.
 
 ### 2026-03-18 (2.19.2)
 
-* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`.
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
 
 ### 2026-03-08 (2.19.1)
 
@@ -28,6 +32,10 @@
 
 * Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
 
+### 2026-03-18 (2.17.1.2) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-12-04 (2.17.1)
 
 * Fix a regression in parsing of unicode surogate pairs (`\uXX\uXX`) that could cause an invalid string to be returned.
@@ -54,6 +62,10 @@
 * Optimized numbers parsing using SWAR (thanks to Scott Myron).
 * Optimized parsing of pretty printed documents using SWAR (thanks to Scott Myron).
 
+### 2026-03-18 (2.15.2.1) - Security Backport
+
+* Fix a format string injection vulnerability in `JSON.parse(doc, allow_duplicate_key: false)`. `CVE-2026-33210`.
+
 ### 2025-10-25 (2.15.2)
 
 * Fix `JSON::Coder` to have one dedicated depth counter per invocation.

data/ext/json/ext/generator/extconf.rb

@@ -5,6 +5,8 @@ if RUBY_ENGINE == 'truffleruby'
   File.write('Makefile', dummy_makefile("").join)
 else
   append_cflags("-std=c99")
+  have_const("RUBY_TYPED_EMBEDDABLE", "ruby.h") # RUBY_VERSION >= 3.3
+
   $defs << "-DJSON_GENERATOR"
   $defs << "-DJSON_DEBUG" if ENV.fetch("JSON_DEBUG", "0") != "0"
 

data/ext/json/ext/generator/generator.c

@@ -722,27 +722,20 @@ static void State_compact(void *ptr)
     state->as_json = rb_gc_location(state->as_json);
 }
 
-static void State_free(void *ptr)
-{
-    JSON_Generator_State *state = ptr;
-    ruby_xfree(state);
-}
-
 static size_t State_memsize(const void *ptr)
 {
     return sizeof(JSON_Generator_State);
 }
 
 static const rb_data_type_t JSON_Generator_State_type = {
-    "JSON/Generator/State",
-    {
+    .wrap_struct_name = "JSON/Generator/State",
+    .function = {
         .dmark = State_mark,
-        .dfree = State_free,
+        .dfree = RUBY_DEFAULT_FREE,
         .dsize = State_memsize,
         .dcompact = State_compact,
     },
-    0, 0,
-    RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_FROZEN_SHAREABLE,
+    .flags = RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_FROZEN_SHAREABLE | RUBY_TYPED_EMBEDDABLE,
 };
 
 static void state_init(JSON_Generator_State *state)

data/ext/json/ext/json.h

@@ -54,6 +54,17 @@ typedef unsigned char _Bool;
 #   define RUBY_TYPED_FROZEN_SHAREABLE 0
 #endif
 
+#ifdef RUBY_TYPED_EMBEDDABLE
+#  define HAVE_RUBY_TYPED_EMBEDDABLE 1
+#else
+# ifdef HAVE_CONST_RUBY_TYPED_EMBEDDABLE
+#  define RUBY_TYPED_EMBEDDABLE RUBY_TYPED_EMBEDDABLE
+#  define HAVE_RUBY_TYPED_EMBEDDABLE 1
+# else
+#  define RUBY_TYPED_EMBEDDABLE 0
+# endif
+#endif
+
 #ifndef NORETURN
 #if defined(__has_attribute) && __has_attribute(noreturn)
 #define NORETURN(x) __attribute__((noreturn)) x

data/ext/json/ext/parser/extconf.rb

@@ -7,6 +7,10 @@ have_func("rb_str_to_interned_str", "ruby.h") # RUBY_VERSION >= 3.0
 have_func("rb_hash_new_capa", "ruby.h") # RUBY_VERSION >= 3.2
 have_func("rb_hash_bulk_insert", "ruby.h") # Missing on TruffleRuby
 
+if RUBY_ENGINE == "ruby"
+  have_const("RUBY_TYPED_EMBEDDABLE", "ruby.h") # RUBY_VERSION >= 3.3
+end
+
 append_cflags("-std=c99")
 
 if enable_config('parser-use-simd', default=!ENV["JSON_DISABLE_SIMD"])

data/ext/json/ext/parser/parser.c

@@ -241,17 +241,27 @@ static void rvalue_stack_mark(void *ptr)
 {
     rvalue_stack *stack = (rvalue_stack *)ptr;
     long index;
-    for (index = 0; index < stack->head; index++) {
-        rb_gc_mark(stack->ptr[index]);
+    if (stack && stack->ptr) {
+        for (index = 0; index < stack->head; index++) {
+            rb_gc_mark(stack->ptr[index]);
+        }
     }
 }
 
+static void rvalue_stack_free_buffer(rvalue_stack *stack)
+{
+    ruby_xfree(stack->ptr);
+    stack->ptr = NULL;
+}
+
 static void rvalue_stack_free(void *ptr)
 {
     rvalue_stack *stack = (rvalue_stack *)ptr;
     if (stack) {
-        ruby_xfree(stack->ptr);
+        rvalue_stack_free_buffer(stack);
+#ifndef HAVE_RUBY_TYPED_EMBEDDABLE
         ruby_xfree(stack);
+#endif
     }
 }
 
@@ -262,14 +272,13 @@ static size_t rvalue_stack_memsize(const void *ptr)
 }
 
 static const rb_data_type_t JSON_Parser_rvalue_stack_type = {
-    "JSON::Ext::Parser/rvalue_stack",
-    {
+    .wrap_struct_name = "JSON::Ext::Parser/rvalue_stack",
+    .function = {
         .dmark = rvalue_stack_mark,
         .dfree = rvalue_stack_free,
         .dsize = rvalue_stack_memsize,
     },
-    0, 0,
-    RUBY_TYPED_FREE_IMMEDIATELY,
+    .flags = RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_EMBEDDABLE,
 };
 
 static rvalue_stack *rvalue_stack_spill(rvalue_stack *old_stack, VALUE *handle, rvalue_stack **stack_ref)
@@ -291,8 +300,12 @@ static void rvalue_stack_eagerly_release(VALUE handle)
     if (handle) {
         rvalue_stack *stack;
         TypedData_Get_Struct(handle, rvalue_stack, &JSON_Parser_rvalue_stack_type, stack);
-        RTYPEDDATA_DATA(handle) = NULL;
+#ifdef HAVE_RUBY_TYPED_EMBEDDABLE
+        rvalue_stack_free_buffer(stack);
+#else
         rvalue_stack_free(stack);
+        RTYPEDDATA_DATA(handle) = NULL;
+#endif
     }
 }
 
@@ -343,7 +356,7 @@ typedef struct JSON_ParserStruct {
 } JSON_ParserConfig;
 
 typedef struct JSON_ParserStateStruct {
-    VALUE stack_handle;
+    VALUE *stack_handle;
     const char *start;
     const char *cursor;
     const char *end;
@@ -436,9 +449,8 @@ static VALUE build_parse_error_message(const char *format, JSON_ParserState *sta
         }
     }
 
-    VALUE msg = rb_sprintf(format, ptr);
-    VALUE message = rb_enc_sprintf(enc_utf8, "%s at line %ld column %ld", RSTRING_PTR(msg), line, column);
-    RB_GC_GUARD(msg);
+    VALUE message = rb_enc_sprintf(enc_utf8, format, ptr);
+    rb_str_catf(message, " at line %ld column %ld", line, column);
     return message;
 }
 
@@ -843,7 +855,7 @@ NOINLINE(static) VALUE json_decode_large_float(const char *start, long len)
 /* Ruby JSON optimized float decoder using vendored Ryu algorithm
  * Accepts pre-extracted mantissa and exponent from first-pass validation
  */
-static inline VALUE json_decode_float(JSON_ParserConfig *config, uint64_t mantissa, int mantissa_digits, int32_t exponent, bool negative,
+static inline VALUE json_decode_float(JSON_ParserConfig *config, uint64_t mantissa, int mantissa_digits, int64_t exponent, bool negative,
                                           const char *start, const char *end)
 {
     if (RB_UNLIKELY(config->decimal_class)) {
@@ -851,13 +863,21 @@ static inline VALUE json_decode_float(JSON_ParserConfig *config, uint64_t mantis
         return rb_funcallv(config->decimal_class, config->decimal_method_id, 1, &text);
     }
 
+    if (RB_UNLIKELY(exponent > INT32_MAX)) {
+        return negative ? CMinusInfinity : CInfinity;
+    }
+
+    if (RB_UNLIKELY(exponent < INT32_MIN)) {
+        return rb_float_new(negative ? -0.0 : 0.0);
+    }
+
     // Fall back to rb_cstr_to_dbl for potential subnormals (rare edge case)
     // Ryu has rounding issues with subnormals around 1e-310 (< 2.225e-308)
     if (RB_UNLIKELY(mantissa_digits > 17 || mantissa_digits + exponent < -307)) {
         return json_decode_large_float(start, end - start);
     }
 
-    return DBL2NUM(ryu_s2d_from_parts(mantissa, mantissa_digits, exponent, negative));
+    return DBL2NUM(ryu_s2d_from_parts(mantissa, mantissa_digits, (int32_t)exponent, negative));
 }
 
 static inline VALUE json_decode_array(JSON_ParserState *state, JSON_ParserConfig *config, long count)
@@ -911,9 +931,6 @@ NORETURN(static) void raise_duplicate_key_error(JSON_ParserState *state, VALUE d
     cursor_position(state, &line, &column);
     rb_str_concat(message, build_parse_error_message("", state, line, column)) ;
     rb_exc_raise(parse_error_new(message, line, column));
-
-    raise_parse_error(RSTRING_PTR(message), state);
-    RB_GC_GUARD(message);
 }
 
 static inline VALUE json_decode_object(JSON_ParserState *state, JSON_ParserConfig *config, size_t count)
@@ -950,7 +967,7 @@ static inline VALUE json_push_value(JSON_ParserState *state, JSON_ParserConfig *
     if (RB_UNLIKELY(config->on_load_proc)) {
         value = rb_proc_call_with_block(config->on_load_proc, 1, &value, Qnil);
     }
-    rvalue_stack_push(state->stack, value, &state->stack_handle, &state->stack);
+    rvalue_stack_push(state->stack, value, state->stack_handle, &state->stack);
     return value;
 }
 
@@ -1135,7 +1152,7 @@ static inline VALUE json_parse_number(JSON_ParserState *state, JSON_ParserConfig
     const char first_digit = *state->cursor;
 
     // Variables for Ryu optimization - extract digits during parsing
-    int32_t exponent = 0;
+    int64_t exponent = 0;
     int decimal_point_pos = -1;
     uint64_t mantissa = 0;
 
@@ -1179,7 +1196,7 @@ static inline VALUE json_parse_number(JSON_ParserState *state, JSON_ParserConfig
             raise_parse_error_at("invalid number: %s", state, start);
         }
 
-        exponent = negative_exponent ? -((int32_t)abs_exponent) : ((int32_t)abs_exponent);
+        exponent = negative_exponent ? -abs_exponent : abs_exponent;
     }
 
     if (integer) {
@@ -1560,11 +1577,13 @@ static VALUE cParser_parse(JSON_ParserConfig *config, VALUE Vsource)
     const char *start;
     RSTRING_GETMEM(Vsource, start, len);
 
+    VALUE stack_handle = 0;
     JSON_ParserState _state = {
         .start = start,
         .cursor = start,
         .end = start + len,
         .stack = &stack,
+        .stack_handle = &stack_handle,
     };
     JSON_ParserState *state = &_state;
 
@@ -1572,8 +1591,8 @@ static VALUE cParser_parse(JSON_ParserConfig *config, VALUE Vsource)
 
     // This may be skipped in case of exception, but
     // it won't cause a leak.
-    rvalue_stack_eagerly_release(state->stack_handle);
-
+    rvalue_stack_eagerly_release(stack_handle);
+    RB_GC_GUARD(stack_handle);
     json_ensure_eof(state);
 
     return result;
@@ -1611,26 +1630,19 @@ static void JSON_ParserConfig_mark(void *ptr)
     rb_gc_mark(config->decimal_class);
 }
 
-static void JSON_ParserConfig_free(void *ptr)
-{
-    JSON_ParserConfig *config = ptr;
-    ruby_xfree(config);
-}
-
 static size_t JSON_ParserConfig_memsize(const void *ptr)
 {
     return sizeof(JSON_ParserConfig);
 }
 
 static const rb_data_type_t JSON_ParserConfig_type = {
-    "JSON::Ext::Parser/ParserConfig",
-    {
+    .wrap_struct_name = "JSON::Ext::Parser/ParserConfig",
+    .function = {
         JSON_ParserConfig_mark,
-        JSON_ParserConfig_free,
+        RUBY_DEFAULT_FREE,
         JSON_ParserConfig_memsize,
     },
-    0, 0,
-    RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FROZEN_SHAREABLE,
+    .flags = RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_FROZEN_SHAREABLE | RUBY_TYPED_EMBEDDABLE,
 };
 
 static VALUE cJSON_parser_s_allocate(VALUE klass)

data/lib/json/truffle_ruby/generator.rb

@@ -48,7 +48,7 @@ module JSON
       SCRIPT_SAFE_ESCAPE_PATTERN = /[\/"\\\x0-\x1f\u2028-\u2029]/
 
       def self.native_type?(value) # :nodoc:
-        (false == value || true == value || nil == value || String === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
+        (false == value || true == value || nil == value || String === value || Symbol === value || Array === value || Hash === value || Integer === value || Float === value || Fragment === value)
       end
 
       def self.native_key?(key) # :nodoc:
@@ -517,11 +517,11 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '{}'
+              return +'{}'
             end
 
             delim = ",#{state.object_nl}"
-            result = +"{#{state.object_nl}"
+            result = "{#{state.object_nl}"
             first = true
             key_type = nil
             indent = !state.object_nl.empty?
@@ -558,7 +558,7 @@ module JSON
                 raise TypeError, "#{key.class}#to_s returns an instance of #{key_str.class}, expected a String"
               end
 
-              result = +"#{result}#{key_json}#{state.space_before}:#{state.space}"
+              result = "#{result}#{key_json}#{state.space_before}:#{state.space}"
               if state.strict? && !Generator.native_type?(value)
                 if state.as_json
                   value = state.as_json.call(value, false)
@@ -609,7 +609,7 @@ module JSON
 
             if empty?
               state.depth -= 1
-              return '[]'
+              return +'[]'
             end
 
             result = '['.dup
@@ -734,17 +734,17 @@ module JSON
 
         module TrueClass
           # Returns a JSON string for true: 'true'.
-          def to_json(*) 'true' end
+          def to_json(*) +'true' end
         end
 
         module FalseClass
           # Returns a JSON string for false: 'false'.
-          def to_json(*) 'false' end
+          def to_json(*) +'false' end
         end
 
         module NilClass
           # Returns a JSON string for nil: 'null'.
-          def to_json(*) 'null' end
+          def to_json(*) +'null' end
         end
       end
     end

data/lib/json/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JSON
-  VERSION = '2.19.3'
+  VERSION = '2.19.4'
 end

data/lib/json.rb

@@ -335,8 +335,8 @@ require 'json/common'
 #   JSON.generate(JSON::MinusInfinity)
 #
 # Allow:
-#   ruby = [Float::NaN, Float::Infinity, Float::MinusInfinity]
-#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,-Infinity]'
+#   ruby = [Float::NAN, Float::INFINITY, JSON::NaN, JSON::Infinity, JSON::MinusInfinity]
+#   JSON.generate(ruby, allow_nan: true) # => '[NaN,Infinity,NaN,Infinity,-Infinity]'
 #
 # ---
 #

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.19.3
+  version: 2.19.4
 platform: ruby
 authors:
 - Florian Frank
@@ -84,7 +84,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 4.0.3
+rubygems_version: 4.0.6
 specification_version: 4
 summary: JSON Implementation for Ruby
 test_files: []