From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 30 Mar 2020 22:22:10 +0000 (+0000)
Subject: [PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01: [Backport #16698]
X-Git-Tag: archive/raspbian/2.3.3-1+deb9u9+rpi1^2~2
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=aded008d5deb14f27007499c4267a417bd955732;p=ruby2.3.git

[PATCH] merge revision(s) 36e9ed7fef6eb2d14becf6c52452e4ab16e4bf01: [Backport #16698]

        backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a
         securify fix for CVE-2020-10663. The patch was provided by Jeremy Evans.

        git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67869 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Author: Utkarsh Gupta <utkarsh@debian.org>


Gbp-Pq: Name CVE-2020-10663.patch
---

diff --git a/ext/json/parser/parser.c b/ext/json/parser/parser.c
index 773605c..3e1a2bb 100644
--- a/ext/json/parser/parser.c
+++ b/ext/json/parser/parser.c
@@ -1739,7 +1739,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
     } else {
         json->max_nesting = 100;
         json->allow_nan = 0;
-        json->create_additions = 1;
+        json->create_additions = 0;
         json->create_id = rb_funcall(mJSON, i_create_id, 0);
         json->object_class = Qnil;
         json->array_class = Qnil;
diff --git a/ext/json/parser/parser.rl b/ext/json/parser/parser.rl
index 2fa0cae..1d8a967 100644
--- a/ext/json/parser/parser.rl
+++ b/ext/json/parser/parser.rl
@@ -723,7 +723,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
     } else {
         json->max_nesting = 100;
         json->allow_nan = 0;
-        json->create_additions = 1;
+        json->create_additions = 0;
         json->create_id = rb_funcall(mJSON, i_create_id, 0);
         json->object_class = Qnil;
         json->array_class = Qnil;