diff --git a/backport-CVE-2022-28738.patch b/backport-CVE-2022-28738.patch
new file mode 100644
index 0000000000000000000000000000000000000000..71a77a0f5fe2e98e6daae1240e6122ede9072d42
--- /dev/null
+++ b/backport-CVE-2022-28738.patch
@@ -0,0 +1,65 @@
+From 052ec6d2585c3ace95671013d336f5543624ef3d Mon Sep 17 00:00:00 2001
+From: nagachika <nagachika@ruby-lang.org>
+Date: Tue, 12 Apr 2022 20:07:08 +0900
+Subject: [PATCH] Just free compiled pattern if no space is used
+
+---
+ regcomp.c                | 14 ++++++++------
+ test/ruby/test_regexp.rb |  9 +++++++++
+ 2 files changed, 17 insertions(+), 6 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 3a438b9..bd38313 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -142,8 +142,13 @@ bitset_on_num(BitSetRef bs)
+ static void
+ onig_reg_resize(regex_t *reg)
+ {
+-  resize:
+-    if (reg->alloc > reg->used) {
++  do {
++    if (!reg->used) {
++      xfree(reg->p);
++      reg->alloc = 0;
++      reg->p = 0;
++    }
++    else if (reg->alloc > reg->used) {
+       unsigned char *new_ptr = xrealloc(reg->p, reg->used);
+       // Skip the right size optimization if memory allocation fails
+       if (new_ptr) {
+@@ -151,10 +156,7 @@ onig_reg_resize(regex_t *reg)
+         reg->p = new_ptr;
+       }
+     }
+-    if (reg->chain) {
+-      reg = reg->chain;
+-      goto resize;
+-    }
++  } while ((reg = reg->chain) != 0);
+ }
+ 
+ extern int
+diff --git a/test/ruby/test_regexp.rb b/test/ruby/test_regexp.rb
+index 35d20ee..679a013 100644
+--- a/test/ruby/test_regexp.rb
++++ b/test/ruby/test_regexp.rb
+@@ -1344,6 +1344,15 @@ class TestRegexp < Test::Unit::TestCase
+     end
+   end
+ 
++  def test_invalid_group
++    assert_separately([], "#{<<-"begin;"}\n#{<<-'end;'}")
++    begin;
++      assert_raise_with_message(RegexpError, /invalid conditional pattern/) do
++        Regexp.new("((?(1)x|x|)x)+")
++      end
++    end;
++  end
++
+   # This assertion is for porting x2() tests in testpy.py of Onigmo.
+   def assert_match_at(re, str, positions, msg = nil)
+     re = Regexp.new(re) unless re.is_a?(Regexp)
+-- 
+1.8.3.1
+
diff --git a/backport-CVE-2022-28739.patch b/backport-CVE-2022-28739.patch
new file mode 100644
index 0000000000000000000000000000000000000000..a45522db2b3f4647382186a46d81a6f599e8022c
--- /dev/null
+++ b/backport-CVE-2022-28739.patch
@@ -0,0 +1,63 @@
+From 3fa771ddedac25560be57f4055f1767e6c810f58 Mon Sep 17 00:00:00 2001
+From: nagachika <nagachika@ruby-lang.org>
+Date: Tue, 12 Apr 2022 20:08:08 +0900
+Subject: [PATCH] Fix dtoa buffer overrun
+
+---
+ missing/dtoa.c          |  3 ++-
+ test/ruby/test_float.rb | 18 ++++++++++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/missing/dtoa.c b/missing/dtoa.c
+index a940eab..b7a8302 100644
+--- a/missing/dtoa.c
++++ b/missing/dtoa.c
+@@ -1552,6 +1552,7 @@ break2:
+ 	    if (!*++s || !(s1 = strchr(hexdigit, *s))) goto ret0;
+ 	    if (*s == '0') {
+ 		while (*++s == '0');
++		if (!*s) goto ret;
+ 		s1 = strchr(hexdigit, *s);
+ 	    }
+ 	    if (s1 != NULL) {
+@@ -1574,7 +1575,7 @@ break2:
+ 		for (; *s && (s1 = strchr(hexdigit, *s)); ++s) {
+ 		    adj += aadj * ((s1 - hexdigit) & 15);
+ 		    if ((aadj /= 16) == 0.0) {
+-			while (strchr(hexdigit, *++s));
++			while (*++s && strchr(hexdigit, *s));
+ 			break;
+ 		    }
+ 		}
+diff --git a/test/ruby/test_float.rb b/test/ruby/test_float.rb
+index fbf0d87..b218b72 100644
+--- a/test/ruby/test_float.rb
++++ b/test/ruby/test_float.rb
+@@ -171,6 +171,24 @@ class TestFloat < Test::Unit::TestCase
+       assert_raise(ArgumentError, n += z + "A") {Float(n)}
+       assert_raise(ArgumentError, n += z + ".0") {Float(n)}
+     end
++
++    x = nil
++    2000.times do
++      x = Float("0x"+"0"*30)
++      break unless x == 0.0
++    end
++    assert_equal(0.0, x, ->{"%a" % x})
++    x = nil
++    2000.times do
++      begin
++        x = Float("0x1."+"0"*270)
++      rescue ArgumentError => e
++        raise unless /"0x1\.0{270}"/ =~ e.message
++      else
++        break
++      end
++    end
++    assert_nil(x, ->{"%a" % x})
+   end
+ 
+   def test_divmod
+-- 
+1.8.3.1
+
diff --git a/ruby.spec b/ruby.spec
index 7f315c965a1c486732090ea118620803bc702748..5912363100aa613799fcd3740c6ba95654d00655 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -33,7 +33,7 @@
 
 Name:      ruby
 Version:   %{ruby_version}
-Release:   123
+Release:   124
 Summary:   Object-oriented scripting language interpreter
 License:   (Ruby or BSD) and Public Domain and MIT and CC0 and zlib and UCD
 URL:       https://www.ruby-lang.org/en/
@@ -169,6 +169,8 @@ Patch52: ruby-3.1.0-Support-OpenSSL-3.0.patch
 Patch53: ruby-3.1.0-SSL_read-EOF-handling.patch
 
 Patch6000: backport-Add-tests-for-template-stylesheets-option.patch
+Patch6001: backport-CVE-2022-28738.patch
+Patch6002: backport-CVE-2022-28739.patch
 
 Provides:  %{name}-libs = %{version}-%{release}
 Obsoletes: %{name}-libs < %{version}-%{release}
@@ -1181,6 +1183,9 @@ make runruby TESTRUN_SCRIPT=%{SOURCE13}
 %doc %{gem_dir}/gems/typeprof-%{typeprof_version}/testbed
 
 %changelog
+* Fri May 27 2022 BruceGW <gyl93216@163.com> - 3.0.3-124
+- fix CVE-2022-28738 CVE-2022-28739
+
 * Sat May 21 2022 shixuantong <shixuantong@h-partners.com> - 3.0.3-123
 - drop dependency on ruby-help