fix CVE-2022-31117

fix-CVE-2022-31117.patch

@@ -0,0 +1,25 @@
+From a68e5b61f3df39cf998911fc87fe277436839902 Mon Sep 17 00:00:00 2001
+From: huangduirong <huangduirong@huawei.com>
+Date: Tue, 28 Feb 2023 08:59:16 -0500
+Subject: [PATCH] x
+
+---
+ lib/ultrajsondec.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/lib/ultrajsondec.c b/lib/ultrajsondec.c
+index cfa3be0..3e429c6 100644
+--- a/lib/ultrajsondec.c
++++ b/lib/ultrajsondec.c
+@@ -330,7 +330,7 @@ static FASTCALL_ATTR JSOBJ FASTCALL_MSVC decode_string ( struct DecoderState *ds
+       escStart = (JSUINT32 *)ds->dec->realloc(ds->escStart, newSize * sizeof(JSUINT32));
+       if (!escStart)
+       {
+-        ds->dec->free(ds->escStart);
++        // Don't free ds->escStart here; it gets handled in JSON_DecodeObject.
+         return SetError(ds, -1, "Could not reserve memory block");
+       }
+       ds->escStart = escStart;
+-- 
+2.35.1
+

python-ujson.spec

@@ -1,13 +1,14 @@
 %global _empty_manifest_terminate_build 0
 Name:           python-ujson
 Version:        5.1.0
-Release:        2
+Release:        3
 Summary:        Ultra fast JSON encoder and decoder for Python
 License:        BSD
 URL:            https://github.com/ultrajson/ultrajson
 Source0:        https://files.pythonhosted.org/packages/92/4a/2676677f59709517560b2b7eeb027453e86643d54d04687602e76cca4380/ujson-5.1.0.tar.gz
 
 Patch0001:      fix-CVE-2022-31116.patch
+Patch0002:      fix-CVE-2022-31117.patch
 
 %description
 UltraJSON is an ultra fast JSON encoder and decoder written in pure C with bindings for Python 3.6+
@@ -78,6 +79,9 @@ mv %{buildroot}/doclist.lst .
 %{_docdir}/*
 
 %changelog
+* Wed Mar 1 2023 huangduirong <huangduirong@huawei.com> - 5.1.0-3
+- fix CVE-2022-31117
+
 * Sun Feb 26 2023 huangduirong <huangduirong@huawei.com> - 5.1.0-2
 - fix CVE-2022-31116