Shell: Prevent exponential explosion around '$(('

When parse_expression looks at '$((', there are two ways it can end up
in parse_expression again, three consumed characters later. All these
ways fail, so what happened was that the parser tried all possible
combinations, hence taking potentially an exponential amount of time.

1. parse_evaluate swallows the '$(', a new invocation of
   parse_expression swallows the other '(', and through
   parse_list_expression we're at another parse_expression.
2. parse_evaluate swallows the '$(', but returns a SyntaxError.
   parse_expression used to not recognize the error, and treated it as a
   regular AST node, calling into read_concat, then a new invocation of
   parse_expression swallows the other '(', and through
   parse_list_expression we're at another parse_expression.

Fixes #10561.

Found by OSS Fuzz, long-standing issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=28113

1 files changed, 1 insertions, 1 deletions

diff --git a/Userland/Shell/Parser.h b/Userland/Shell/Parser.h
index 37aac4097f..003267f968 100644
--- a/Userland/Shell/Parser.h
+++ b/Userland/Shell/Parser.h
@@ -251,7 +251,7 @@ expression :: evaluate expression?
             | '(' list_expression ')' expression?
 
 evaluate :: '$' '(' pipe_sequence ')'
-          | '$' expression          {eval / dynamic resolve}
+          | '$' [lookahead != '('] expression          {eval / dynamic resolve}
 
 string_composite :: string string_composite?
                   | variable string_composite?