Fix: OOB in sz_find_skylake / sz_rfind_skylake tail for null-byte needles (#312)

In the tail section of `sz_find_skylake` and `sz_rfind_skylake`, masked loads
(`_mm512_maskz_loadu_epi8`) zero out bytes beyond the valid haystack range.
The subsequent `_mm512_cmpeq_epi8_mask` comparisons are unmasked — they
compare all 64 lanes including the zeroed masked-off positions. When the
needle characters selected by `sz_locate_needle_anomalies_` are all `\0`
(e.g., needle = "\0\0\0\0"), the zeroed lanes falsely match, producing
spurious bits in `matches` at offsets beyond `h_length - n_length`.

For `n_length <= 3`, this returns an out-of-bounds pointer without any
validation. For `n_length > 3`, `sz_equal_skylake` reads past the haystack
boundary, causing a heap-buffer-overflow.

The fix is to AND `matches` with `mask` (the valid-position bitmask) before
entering the match loop, filtering out spurious matches from masked-off
positions. The same fix is applied to both `sz_find_skylake` and
`sz_rfind_skylake`.

Other implementations (serial, westmere, haswell, neon) are not affected
because they fall back to `sz_find_serial` for the tail instead of using
AVX-512 masked loads.

Reproducer:
    sz_find_skylake("AAAAAAAAAA", 10, "\0\0", 2)
    // Returns offset 9 (OOB) instead of NULL

Found via ClickHouse CI AST fuzzer (MSan build):
    SELECT count() FROM system.schema_inference_cache
    WHERE toNullable(65537) > countSubstrings(source, '\0\0\0\0')

Co-authored-by: Raúl Marín <664253+Algunenano@users.noreply.github.com>

Author: Algunenano

include/stringzilla/find.h

@@ -1374,6 +1374,7 @@ SZ_PUBLIC sz_cptr_t sz_find_skylake(sz_cptr_t h, sz_size_t h_length, sz_cptr_t n
                 _mm512_cmpeq_epi8_mask(h_first_vec.zmm, n_first_vec.zmm),
                 _mm512_cmpeq_epi8_mask(h_mid_vec.zmm, n_mid_vec.zmm)),
             _mm512_cmpeq_epi8_mask(h_last_vec.zmm, n_last_vec.zmm));
+        matches &= mask;
         while (matches) {
             int potential_offset = sz_u64_ctz(matches);
             if (n_length <= 3 || sz_equal_skylake(h + potential_offset, n, n_length)) return h + potential_offset;
@@ -1456,6 +1457,7 @@ SZ_PUBLIC sz_cptr_t sz_rfind_skylake(sz_cptr_t h, sz_size_t h_length, sz_cptr_t
                 _mm512_cmpeq_epi8_mask(h_first_vec.zmm, n_first_vec.zmm),
                 _mm512_cmpeq_epi8_mask(h_mid_vec.zmm, n_mid_vec.zmm)),
             _mm512_cmpeq_epi8_mask(h_last_vec.zmm, n_last_vec.zmm));
+        matches &= mask;
         while (matches) {
             int potential_offset = sz_u64_clz(matches);
             if (n_length <= 3 || sz_equal_skylake(h + 64 - potential_offset - 1, n, n_length))

scripts/test_stringzilla.cpp

@@ -4195,6 +4195,17 @@ void test_search_with_misaligned_repetitions() {
     test_search_with_misaligned_repetitions("abc\0", "abc\0");
     test_search_with_misaligned_repetitions("abcd\0", "abcd");
 
+    // When searching for all-null needles in a haystack with no null bytes.
+    // This exercises the SIMD tail path where masked-off lanes are zeroed:
+    // if the needle characters are also zero, spurious matches appear at
+    // invalid offsets beyond the haystack, causing OOB reads.
+    test_search_with_misaligned_repetitions("a", {"\0\0", 2});
+    test_search_with_misaligned_repetitions("a", {"\0\0\0", 3});
+    test_search_with_misaligned_repetitions("a", {"\0\0\0\0", 4});
+    test_search_with_misaligned_repetitions("a", {"\0\0\0\0\0", 5});
+    test_search_with_misaligned_repetitions("abcd", {"\0\0", 2});
+    test_search_with_misaligned_repetitions("abcd", {"\0\0\0\0", 4});
+
     // When haystack is formed of equidistant needles:
     test_search_with_misaligned_repetitions("ab", "a");
     test_search_with_misaligned_repetitions("abc", "a");