From a77400796df93195e431216efa6e5344f40d08fe Mon Sep 17 00:00:00 2001
From: Fabrice Bellard <fabrice@bellard.org>
Date: Sat, 22 Nov 2025 12:10:55 +0100
Subject: [PATCH] removed buffer overflows introduced in regexp optimizations

---
 libregexp.c | 4 ++--
 quickjs.c   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/libregexp.c b/libregexp.c
index ca711a4..28f407b 100644
--- a/libregexp.c
+++ b/libregexp.c
@@ -2737,7 +2737,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 
@@ -2794,7 +2794,7 @@ static intptr_t lre_exec_backtrack(REExecContext *s, uint8_t **capture,
                     if (idx2 >= 0)
                         capture[idx2] = sp[-1].ptr;
                     else
-                        aux_stack[-idx2 + 1] = sp[-1].ptr;
+                        aux_stack[-idx2 - 1] = sp[-1].ptr;
                     sp -= 2;
                 }
                 pc = sp[-3].ptr;
diff --git a/quickjs.c b/quickjs.c
index f91bc12..2fcd29a 100644
--- a/quickjs.c
+++ b/quickjs.c
@@ -18022,7 +18022,7 @@ static JSValue JS_CallInternal(JSContext *caller_ctx, JSValueConst func_obj,
             {
                 sp[-2] = JS_NewRegexp(ctx, sp[-2], sp[-1]);
                 sp--;
-                if (JS_IsException(sp[-2]))
+                if (JS_IsException(sp[-1]))
                     goto exception;
             }
             BREAK;