From 27a38932da3fdbaba53e40caa5ca0e2fc00797cc Mon Sep 17 00:00:00 2001
From: Ali Mohammad Pur <ali.mpfard@gmail.com>
Date: Sun, 24 Mar 2024 00:22:43 +0100
Subject: [PATCH] LibRegex: Account for extra explicit And/Or in class parser
 assertion

Fixes #23691.
---
 Tests/LibRegex/Regex.cpp                    | 1 +
 Userland/Libraries/LibRegex/RegexParser.cpp | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/Tests/LibRegex/Regex.cpp b/Tests/LibRegex/Regex.cpp
index 5d9672fabac..63b7b911d3f 100644
--- a/Tests/LibRegex/Regex.cpp
+++ b/Tests/LibRegex/Regex.cpp
@@ -800,6 +800,7 @@ TEST_CASE(ECMA262_unicode_sets_parser_error)
 
     constexpr _test tests[] {
         { "[[]"sv, regex::Error::InvalidPattern },
+        { "[[x[]]]"sv, regex::Error::NoError }, // #23691, should not crash on empty charclass within AndOr.
     };
 
     for (auto test : tests) {
diff --git a/Userland/Libraries/LibRegex/RegexParser.cpp b/Userland/Libraries/LibRegex/RegexParser.cpp
index 64fbbb78896..e2696068ca7 100644
--- a/Userland/Libraries/LibRegex/RegexParser.cpp
+++ b/Userland/Libraries/LibRegex/RegexParser.cpp
@@ -2386,7 +2386,12 @@ bool ECMA262Parser::parse_nested_class(Vector<regex::CompareTypeAndValuePair>& c
         if (match(TokenType::RightBracket)) {
             consume();
             // Should only have at most an 'Inverse' (after an 'Or')
-            VERIFY(compares.size() <= 2);
+            if (m_parser_state.regex_options.has_flag_set(regex::AllFlags::UnicodeSets)) {
+                // In unicode sets mode, we can have an additional 'And'/'Or' before the 'Inverse'.
+                VERIFY(compares.size() <= 3);
+            } else {
+                VERIFY(compares.size() <= 2);
+            }
             compares.append(CompareTypeAndValuePair { CharacterCompareType::EndAndOr, 0 });
             return true;
         }