removed buffer overflows introduced in regexp optimizations

Fabrice Bellard · Fabrice Bellard · commit a77400796df9 · 2025-11-22T12:10:55.000+01:00
diff --git a/libregexp.c b/libregexp.c
@@ -2737,7 +2737,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 
@@ -2794,7 +2794,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 pc = sp[-3].ptr;
diff --git a/quickjs.c b/quickjs.c
@@ -18022,7 +18022,7 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,
             {
                 sp[-2] = JS_NewRegexp(ctx, sp[-2], sp[-1]);
                 sp--;
-                if (JS_IsException(sp[-2]))
+                if (JS_IsException(sp[-1]))
                     goto exception;
             }
             BREAK;

Original file line number	Diff line number	Diff line change
`@@ -18022,7 +18022,7 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,`
`18022`	`18022`	`{`
`18023`	`18023`	`sp[-2] = JS_NewRegexp(ctx, sp[-2], sp[-1]);`
`18024`	`18024`	`sp--;`
`18025`		`- if (JS_IsException(sp[-2]))`
	`18025`	`+ if (JS_IsException(sp[-1]))`
`18026`	`18026`	`goto exception;`
`18027`	`18027`	`}`
`18028`	`18028`	`BREAK;`