In the function re_search_internal, there are 4 occurrences of 'goto free_return;' before the declaration and initialization of 'save_state_log'. In all these cases, an uninitialized value is getting passed to the free() function.
This patch fixes it. 2026-04-13 Bruno Haible <[email protected]> regex: Fix use of uninitialized variable (regression yesterday). Reported by Coverity. * lib/regexec.c (re_search_internal): Move initialization of variable 'save_state_log' further up. diff --git a/lib/regexec.c b/lib/regexec.c index 259dfd36c6..7095c4bf5b 100644 --- a/lib/regexec.c +++ b/lib/regexec.c @@ -627,6 +627,8 @@ re_search_internal (const regex_t *preg, const char *string, Idx length, /* We must check the longest matching, if nmatch > 0. */ fl_longest_match = (nmatch != 0 || dfa->nbackref); + re_dfastate_t **save_state_log = NULL; + err = re_string_allocate (&mctx.input, string, length, dfa->nodes_len + 1, preg->translate, (preg->syntax & RE_ICASE) != 0, dfa); @@ -678,8 +680,6 @@ re_search_internal (const regex_t *preg, const char *string, Idx length, | (t != NULL ? 1 : 0)) : 8); - re_dfastate_t **save_state_log = NULL; - for (;; match_first += incr) { err = REG_NOMATCH;
