Fix bug 697141: buffer overrun in regexp string substitution.

A '$' escape at the end of the string would read past the zero terminator
when looking for the escaped character.

jsstring.c

@@ -421,6 +421,7 @@ loop:
 		while (*r) {
 			if (*r == '$') {
 				switch (*(++r)) {
+				case 0: --r; /* end of string; back up and fall through */
 				case '$': js_putc(J, &sb, '$'); break;
 				case '`': js_putm(J, &sb, source, s); break;
 				case '\'': js_puts(J, &sb, s + n); break;
@@ -516,6 +517,7 @@ static void Sp_replace_string(js_State *J)
 		while (*r) {
 			if (*r == '$') {
 				switch (*(++r)) {
+				case 0: --r; /* end of string; back up and fall through */
 				case '$': js_putc(J, &sb, '$'); break;
 				case '&': js_putm(J, &sb, s, s + n); break;
 				case '`': js_putm(J, &sb, source, s); break;