Oj: Use-After-Free in Oj::Parser array_class/hash_class GC Marking

An attacker who can control the `array_class` or `hash_class` option passed to `Oj::Parser.new` can trigger a use-after-free. The attacker creates a custom class, assigns it as `array_class`, drops all Ruby references to it, and forces a full GC run before calling `parse`. Because the parser's mark function does not protect the class reference [ref_id=1][ref_id=2], the GC reclaims the class object, and the subsequent `parse` call dereferences the dangling VALUE, producing a segfault. No network access or authentication is required; the attacker only needs the ability to instantiate an `Oj::Parser` with a custom class and trigger GC.

The bug resides in `ext/oj/parser.c` (the `parser_mark` function) and `ext/oj/usual.c` (the `close_array_class` function at line 405). The `parser_mark` callback fails to call `rb_gc_mark` on `d->array_class` (and `d->hash_class`), so the Ruby GC does not know those VALUEs are still referenced. When `close_array_class` later invokes `rb_funcallv` on the collected class, it dereferences freed memory, causing a segfault.

The advisory states that the `parser_mark` function in `ext/oj/parser.c` must call `rb_gc_mark` on `d->array_class` and `d->hash_class` so the GC knows those VALUEs are still live [ref_id=1][ref_id=2]. Without that call, the GC treats the class objects as unreachable and frees them. The fix adds the missing `rb_gc_mark` invocations, ensuring the custom class objects are kept alive as long as the parser holds a reference to them. No patch diff is included in the bundle, but the remediation is clearly described.

```ruby require 'oj' p = Oj::Parser.new(:usual, array_class: (ac = Class.new { def <<(_x); end })) ObjectSpace.define_finalizer(ac, proc { warn 'array_class finalized' }) ac = nil GC.start(full_mark: true, immediate_sweep: true) # collect the class p.parse('[1]') # segfault ```