Is that even the fix though? The problem sizeof*groups expression has already been removed by that point. This fixes something but it's not obviously related to the vulnerability description.

git log -S suggests 4cd93df95e697942adf0ff038fc8f357cbb07cf9, which looks more likely: https://cgit.freebsd.org/src/commit/?id=4cd93df95e697942adf0... - though not to say you don't want the later commit too. I'm sure you do.