From 619f455b8fc9d05b50822387d3203f74c86fcb5c Mon Sep 17 00:00:00 2001
From: Corinna Vinschen <vinschen@redhat.com>
Date: Fri, 2 Feb 2024 11:30:39 -0700
Subject: [PATCH] regex: fix freeing g->charjump in low memory condition

computejumps() moves g->charjump to a position relativ to the value of
CHAR_MIN.  As such, g->charjump doesn't necessarily point to the address
actually allocated.  While regfree() takes that into account, the low
memory handling in regcomp_internal() doesn't.  Fix that by free'ing
the actually allocated address, as in regfree().

MFC After: 2 weeks
Reviewed by: imp,jrtc27
Pull Request: https://github.com/freebsd/freebsd-src/pull/692
---
 lib/libc/regex/regcomp.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libc/regex/regcomp.c b/lib/libc/regex/regcomp.c
index 89b96b00fefb..7481d3ecf240 100644
--- a/lib/libc/regex/regcomp.c
+++ b/lib/libc/regex/regcomp.c
@@ -321,7 +321,7 @@ regcomp_internal(regex_t * __restrict preg,
 		computejumps(p, g);
 		computematchjumps(p, g);
 		if(g->matchjump == NULL && g->charjump != NULL) {
-			free(g->charjump);
+			free(&g->charjump[CHAR_MIN]);
 			g->charjump = NULL;
 		}
 	}