backport 80b5a0ff2a7709367178f29d4ebe1c54122b1c27 partially as a securify fix for CVE-2020-10663.

The patch was provided by Jeremy Evans.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67856 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

3 files changed, 3 insertions, 3 deletions

diff --git a/ext/json/parser/parser.c b/ext/json/parser/parser.c
index b02aae8fb9..027fbcc26f 100644
--- a/ext/json/parser/parser.c
+++ b/ext/json/parser/parser.c
@@ -1835,7 +1835,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
     } else {
         json->max_nesting = 100;
         json->allow_nan = 0;
-        json->create_additions = 1;
+        json->create_additions = 0;
         json->create_id = rb_funcall(mJSON, i_create_id, 0);
         json->object_class = Qnil;
         json->array_class = Qnil;
diff --git a/ext/json/parser/parser.rl b/ext/json/parser/parser.rl
index d4e7a60e9d..fb0bb515de 100644
--- a/ext/json/parser/parser.rl
+++ b/ext/json/parser/parser.rl
@@ -730,7 +730,7 @@ static VALUE cParser_initialize(int argc, VALUE *argv, VALUE self)
     } else {
         json->max_nesting = 100;
         json->allow_nan = 0;
-        json->create_additions = 1;
+        json->create_additions = 0;
         json->create_id = rb_funcall(mJSON, i_create_id, 0);
         json->object_class = Qnil;
         json->array_class = Qnil;
diff --git a/version.h b/version.h
index 6418e302ff..97b395a9d9 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.6.6"
 #define RUBY_RELEASE_DATE "2020-03-20"
-#define RUBY_PATCHLEVEL 141
+#define RUBY_PATCHLEVEL 142
 
 #define RUBY_RELEASE_YEAR 2020
 #define RUBY_RELEASE_MONTH 3