json 2.19.7 → 2.19.9

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 579bc938143b2fc703d90623fb985af883a7b46f0641d874cc44a39a4ffae2dd
-  data.tar.gz: f69a8d12a9f83378e0e0e6b0abdda34cf23d7ebf026dcc114dc70089dd159190
+  metadata.gz: 5e5fed66aaa650ac7aaf223c4d8e505a2d6ce3fe72599af4931356ae619f020b
+  data.tar.gz: 347004780c7a7568685502ade79f145371a49a213d348a65c99ea8fbffc6eee7
 SHA512:
-  metadata.gz: 3bb0a35502ac84a22a71f076a68feb5ea525ff802491e2532bd863653d1b6808de4715108886e6bb00cc5ef378ec298bea81e2d932a748886f1f4ec8b0637b03
-  data.tar.gz: e50b9b31f846e105a725807db54fe86f8176331d975ea772a1f9f666ed91e4555497f79008a4b01b08de3c2605cb1867671f87b86f196632b05d1f5a21872143
+  metadata.gz: 0bffdb4cd21e4656a1402a00d95ae890dc75befff379aeef4aad575a7f715a0dbeb87cfef6fefa3cd5235c3302a29fabb510d5db67e527678023cd8a88c34b49
+  data.tar.gz: 7e08cfae0c5d404687644528ecfb9438c9ea254f43fd285d116ba1542a4ef78045463b18850324e91ba4d0c735e7d9ed4b583499aadafe7d0bab51dd54a8d086

data/CHANGES.md

@@ -2,6 +2,16 @@
 
 ### Unreleased
 
+### 2026-06-11 (2.19.9)
+
+* Fix buffer overflow that could lead to a crash when writing JSON directly into an IO
+  with `JSON.generate(object, io)`. [CVE-PENDING].
+
+### 2026-06-03 (2.19.8)
+
+* Fix 1-byte buffer overread on EOS errors.
+* Handle invalid types passed as `max_nesting` option.
+
 ### 2026-05-28 (2.19.7)
 
 * Fix some more edge cases with out of range floats.

data/README.md

@@ -249,6 +249,17 @@ There are also the methods `Kernel#j` for generate, and `Kernel#jj` for
 `pretty_generate` output to the console, that work analogous to Core Ruby's `p` and
 the `pp` library's `pp` methods.
 
+## Security
+
+When parsing or serializing untrusted input, parser and generator options should never be user controlled.
+
+```ruby
+# Dangerous, DO NOT DO THIS.
+JSON.generate(params[:data], params[:options])
+```
+
+Security vulnerability reports relying on attacker controlled parsing or generator options will be handled as regular bug fixes.
+
 ## Development
 
 ### Prerequisites

data/ext/json/ext/fbuffer/fbuffer.h

@@ -37,13 +37,17 @@ static void fbuffer_append_long(FBuffer *fb, long number);
 static inline void fbuffer_append_char(FBuffer *fb, char newchr);
 static VALUE fbuffer_finalize(FBuffer *fb);
 
-static void fbuffer_stack_init(FBuffer *fb, size_t initial_length, char *stack_buffer, size_t stack_buffer_size)
+static void fbuffer_init(FBuffer *fb, size_t initial_length, VALUE io, char *stack_buffer, size_t stack_buffer_size)
 {
-    fb->initial_length = (initial_length > 0) ? initial_length : FBUFFER_INITIAL_LENGTH_DEFAULT;
-    if (stack_buffer) {
+    if (RTEST(io)) {
+        JSON_ASSERT(fb->type == FBUFFER_HEAP_ALLOCATED);
+        fb->io = io;
+        fb->initial_length = (initial_length > 0) ? initial_length : FBUFFER_IO_BUFFER_SIZE;
+    } else {
         fb->type = FBUFFER_STACK_ALLOCATED;
         fb->ptr = stack_buffer;
         fb->capa = stack_buffer_size;
+        fb->initial_length = (initial_length > 0) ? initial_length : FBUFFER_INITIAL_LENGTH_DEFAULT;
     }
 #if JSON_DEBUG
     fb->requested = 0;
@@ -79,45 +83,40 @@ static void fbuffer_flush(FBuffer *fb)
     fbuffer_clear(fb);
 }
 
-static void fbuffer_realloc(FBuffer *fb, size_t required)
+static void fbuffer_realloc(FBuffer *fb, size_t new_capa)
 {
-    if (required > fb->capa) {
+    if (new_capa > fb->capa) {
         if (fb->type == FBUFFER_STACK_ALLOCATED) {
             const char *old_buffer = fb->ptr;
-            fb->ptr = ALLOC_N(char, required);
+            fb->ptr = ALLOC_N(char, new_capa);
             fb->type = FBUFFER_HEAP_ALLOCATED;
             MEMCPY(fb->ptr, old_buffer, char, fb->len);
         } else {
-            REALLOC_N(fb->ptr, char, required);
+            REALLOC_N(fb->ptr, char, new_capa);
         }
-        fb->capa = required;
+        fb->capa = new_capa;
     }
 }
 
 static void fbuffer_do_inc_capa(FBuffer *fb, size_t requested)
 {
     if (RB_UNLIKELY(fb->io)) {
-        if (fb->capa < FBUFFER_IO_BUFFER_SIZE) {
-            fbuffer_realloc(fb, FBUFFER_IO_BUFFER_SIZE);
-        } else {
+        if (fb->capa != 0) {
             fbuffer_flush(fb);
-        }
-
-        if (RB_LIKELY(requested < fb->capa)) {
-            return;
+            if (RB_LIKELY(requested < fb->capa)) {
+                return;
+            }
         }
     }
 
-    size_t required;
+    size_t new_capa = fb->capa ? fb->capa : fb->initial_length;
+    size_t needed_capa = requested + fb->len;
 
-    if (RB_UNLIKELY(!fb->ptr)) {
-        fb->ptr = ALLOC_N(char, fb->initial_length);
-        fb->capa = fb->initial_length;
+    while (new_capa < needed_capa) {
+        new_capa *= 2;
     }
 
-    for (required = fb->capa; requested > required - fb->len; required <<= 1);
-
-    fbuffer_realloc(fb, required);
+    fbuffer_realloc(fb, new_capa);
 }
 
 static inline void fbuffer_inc_capa(FBuffer *fb, size_t requested)

data/ext/json/ext/generator/generator.c

@@ -1304,10 +1304,8 @@ static inline VALUE cState_partial_generate(VALUE self, VALUE obj, generator_fun
     GET_STATE(self);
 
     char stack_buffer[FBUFFER_STACK_SIZE];
-    FBuffer buffer = {
-        .io = RTEST(io) ? io : Qfalse,
-    };
-    fbuffer_stack_init(&buffer, state->buffer_initial_length, stack_buffer, FBUFFER_STACK_SIZE);
+    FBuffer buffer = { 0 };
+    fbuffer_init(&buffer, state->buffer_initial_length, io, stack_buffer, FBUFFER_STACK_SIZE);
 
     struct generate_json_data data = {
         .buffer = &buffer,
@@ -1581,7 +1579,7 @@ static VALUE cState_max_nesting(VALUE self)
 
 static long long_config(VALUE num)
 {
-    return RTEST(num) ? FIX2LONG(num) : 0;
+    return RTEST(num) ? NUM2LONG(num) : 0;
 }
 
 // depth must never be negative; reject early with a clear error.
@@ -1866,10 +1864,8 @@ static VALUE cState_m_do_generate(VALUE klass, VALUE obj, VALUE opts, VALUE io,
     configure_state(&state, Qfalse, opts);
 
     char stack_buffer[FBUFFER_STACK_SIZE];
-    FBuffer buffer = {
-        .io = RTEST(io) ? io : Qfalse,
-    };
-    fbuffer_stack_init(&buffer, state.buffer_initial_length, stack_buffer, FBUFFER_STACK_SIZE);
+    FBuffer buffer = { 0 };
+    fbuffer_init(&buffer, state.buffer_initial_length, io, stack_buffer, FBUFFER_STACK_SIZE);
 
     struct generate_json_data data = {
         .buffer = &buffer,

data/ext/json/ext/parser/parser.c

@@ -385,6 +385,13 @@ static inline char peek(JSON_ParserState *state)
 
 static void cursor_position(JSON_ParserState *state, long *line_out, long *column_out)
 {
+    JSON_ASSERT(state->cursor <= state->end);
+
+    // Redundant but helpful for hardening
+    if (RB_UNLIKELY(state->cursor > state->end)) {
+        state->cursor = state->end;
+    }
+
     const char *cursor = state->cursor;
     long column = 0;
     long line = 1;
@@ -1022,6 +1029,13 @@ ALWAYS_INLINE(static) bool string_scan(JSON_ParserState *state)
         }
         state->cursor++;
     }
+
+    // If the string ended with an unterminated escape sequence, we might
+    // have gone past the end.
+    if (RB_UNLIKELY(state->cursor > state->end)) {
+        state->cursor = state->end;
+    }
+
     return false;
 }
 

data/lib/json/truffle_ruby/generator.rb

@@ -307,6 +307,9 @@ module JSON
           if !opts.key?(:max_nesting) # defaults to 100
             @max_nesting = 100
           elsif opts[:max_nesting]
+            unless opts[:max_nesting].is_a?(Integer)
+              raise TypeError, ":max_nesting must be an Integer, got: #{opts[:max_nesting].class}"
+            end
             @max_nesting = opts[:max_nesting]
           else
             @max_nesting = 0

data/lib/json/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module JSON
-  VERSION = '2.19.7'
+  VERSION = '2.19.9'
 end

metadata

@@ -1,10 +1,10 @@
 --- !ruby/object:Gem::Specification
 name: json
 version: !ruby/object:Gem::Version
-  version: 2.19.7
+  version: 2.19.9
 platform: ruby
 authors:
-- Florian Frank
+  - Florian Frank
 bindir: bin
 cert_chain: []
 date: 1980-01-02 00:00:00.000000000 Z
@@ -13,78 +13,80 @@ description: This is a JSON implementation as a Ruby extension in C.
 email: flori@ping.de
 executables: []
 extensions:
-- ext/json/ext/generator/extconf.rb
-- ext/json/ext/parser/extconf.rb
+  - ext/json/ext/generator/extconf.rb
+  - ext/json/ext/parser/extconf.rb
 extra_rdoc_files:
-- README.md
+  - README.md
 files:
-- BSDL
-- CHANGES.md
-- COPYING
-- LEGAL
-- README.md
-- ext/json/ext/fbuffer/fbuffer.h
-- ext/json/ext/generator/extconf.rb
-- ext/json/ext/generator/generator.c
-- ext/json/ext/json.h
-- ext/json/ext/parser/extconf.rb
-- ext/json/ext/parser/parser.c
-- ext/json/ext/simd/conf.rb
-- ext/json/ext/simd/simd.h
-- ext/json/ext/vendor/fpconv.c
-- ext/json/ext/vendor/jeaiii-ltoa.h
-- ext/json/ext/vendor/ryu.h
-- json.gemspec
-- lib/json.rb
-- lib/json/add/bigdecimal.rb
-- lib/json/add/complex.rb
-- lib/json/add/core.rb
-- lib/json/add/date.rb
-- lib/json/add/date_time.rb
-- lib/json/add/exception.rb
-- lib/json/add/ostruct.rb
-- lib/json/add/range.rb
-- lib/json/add/rational.rb
-- lib/json/add/regexp.rb
-- lib/json/add/set.rb
-- lib/json/add/string.rb
-- lib/json/add/struct.rb
-- lib/json/add/symbol.rb
-- lib/json/add/time.rb
-- lib/json/common.rb
-- lib/json/ext.rb
-- lib/json/ext/generator/state.rb
-- lib/json/generic_object.rb
-- lib/json/truffle_ruby/generator.rb
-- lib/json/version.rb
-homepage: https://github.com/ruby/json
+  - BSDL
+  - CHANGES.md
+  - COPYING
+  - LEGAL
+  - README.md
+  - ext/json/ext/fbuffer/fbuffer.h
+  - ext/json/ext/generator/extconf.rb
+  - ext/json/ext/generator/generator.c
+  - ext/json/ext/json.h
+  - ext/json/ext/parser/extconf.rb
+  - ext/json/ext/parser/parser.c
+  - ext/json/ext/simd/conf.rb
+  - ext/json/ext/simd/simd.h
+  - ext/json/ext/vendor/fpconv.c
+  - ext/json/ext/vendor/jeaiii-ltoa.h
+  - ext/json/ext/vendor/ryu.h
+  - json.gemspec
+  - lib/json.rb
+  - lib/json/add/bigdecimal.rb
+  - lib/json/add/complex.rb
+  - lib/json/add/core.rb
+  - lib/json/add/date.rb
+  - lib/json/add/date_time.rb
+  - lib/json/add/exception.rb
+  - lib/json/add/ostruct.rb
+  - lib/json/add/range.rb
+  - lib/json/add/rational.rb
+  - lib/json/add/regexp.rb
+  - lib/json/add/set.rb
+  - lib/json/add/string.rb
+  - lib/json/add/struct.rb
+  - lib/json/add/symbol.rb
+  - lib/json/add/time.rb
+  - lib/json/common.rb
+  - lib/json/ext.rb
+  - lib/json/ext/generator/state.rb
+  - lib/json/generic_object.rb
+  - lib/json/truffle_ruby/generator.rb
+  - lib/json/version.rb
+homepage: "https://github.com/ruby/json"
 licenses:
-- Ruby
+  - Ruby
 metadata:
-  bug_tracker_uri: https://github.com/ruby/json/issues
-  changelog_uri: https://github.com/ruby/json/blob/master/CHANGES.md
-  documentation_uri: https://docs.ruby-lang.org/en/master/JSON.html
-  homepage_uri: https://github.com/ruby/json
-  source_code_uri: https://github.com/ruby/json
+  bug_tracker_uri: "https://github.com/ruby/json/issues"
+  changelog_uri: "https://github.com/ruby/json/blob/master/CHANGES.md"
+  documentation_uri: "https://docs.ruby-lang.org/en/master/JSON.html"
+  homepage_uri: "https://github.com/ruby/json"
+  source_code_uri: "https://github.com/ruby/json"
 rdoc_options:
-- "--title"
-- JSON implementation for Ruby
-- "--main"
-- README.md
+  - "--title"
+  - JSON implementation for Ruby
+  - "--main"
+  - README.md
 require_paths:
-- lib
+  - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      version: '2.7'
+    -
+      - ">="
+      - !ruby/object:Gem::Version
+        version: "2.7"
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
-    - !ruby/object:Gem::Version
-      version: '0'
+    -
+      - ">="
+      - !ruby/object:Gem::Version
+        version: "0"
 requirements: []
-rubygems_version: 4.0.12
+rubygems_version: 4.1.0.dev
 specification_version: 4
 summary: JSON Implementation for Ruby
 test_files: []