LibRegex: Consume exactly two chars for escaped characters

We were previously consuming an extra char afterwards, which could be the charclass terminator, leading to possible OOB accesses.
Author: https://github.com/alimpfard Commit: 48442059fc Pull-request: https://github.com/SerenityOS/serenity/pull/15148
2025-07-30 12:49:19 +00:00 · 2022-09-06 23:56:12 +04:30 · 2022-09-06 23:56:12 +04:30 · 48442059fc · 2024-07-17 07:14:38 +09:00
commit 48442059fc
parent 7e1e208d08
1 changed files with 5 additions and 2 deletions
--- a/Userland/Libraries/LibRegex/RegexParser.cpp
+++ b/Userland/Libraries/LibRegex/RegexParser.cpp
@ -2701,10 +2701,13 @@ size_t ECMA262Parser::ensure_total_number_of_capturing_parenthesis()
            continue;
        case '[':
            while (!lexer.is_eof()) {
-                if (lexer.consume_specific('\\'))
+                if (lexer.consume_specific('\\')) {
                    lexer.consume();
-                else if (lexer.consume_specific(']'))
+                    continue;
+                }
+                if (lexer.consume_specific(']')) {
                    break;
+                }
                lexer.consume();
            }
            break;