From 48442059fcab714fdf3a30e86560ea6f3abe1361 Mon Sep 17 00:00:00 2001
From: Ali Mohammad Pur <ali.mpfard@gmail.com>
Date: Tue, 6 Sep 2022 23:56:12 +0430
Subject: [PATCH] LibRegex: Consume exactly two chars for escaped characters

We were previously consuming an extra char afterwards, which could be
the charclass terminator, leading to possible OOB accesses.
---
 Userland/Libraries/LibRegex/RegexParser.cpp | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Userland/Libraries/LibRegex/RegexParser.cpp b/Userland/Libraries/LibRegex/RegexParser.cpp
index 01d1fab996..557632c650 100644
--- a/Userland/Libraries/LibRegex/RegexParser.cpp
+++ b/Userland/Libraries/LibRegex/RegexParser.cpp
@@ -2701,10 +2701,13 @@ size_t ECMA262Parser::ensure_total_number_of_capturing_parenthesis()
             continue;
         case '[':
             while (!lexer.is_eof()) {
-                if (lexer.consume_specific('\\'))
+                if (lexer.consume_specific('\\')) {
                     lexer.consume();
-                else if (lexer.consume_specific(']'))
+                    continue;
+                }
+                if (lexer.consume_specific(']')) {
                     break;
+                }
                 lexer.consume();
             }
             break;