AIKIDO-2026-10375

TL;DR

The encoder in ultrajsonenc.c reserves output buffer space using enc->indent * (enc->level + 1) with an int type. When indent or nesting is large enough, the product overflows and the reserved size is underestimated, so subsequent writes cause a heap buffer overflow. Separately, a negative indent value leads to size_t underflow in the same arithmetic; the buffer up-sizer can then enter an infinite loop. Both are reachable via ujson.dumps(obj, indent=...) or equivalent. The fix switches indent arithmetic to ptrdiff_t, caps positive indent at 1000 (raising ValueError above that), and clips negative indent to -1 while skipping indentation code paths so underflow and the infinite loop are avoided.