vary: Prevent a buffer overflow in VRY_Validate()

We might read past the end of the workspace when no space was available
at reservation time. This would normally go unnotticed since we used to
get zeros after the end of workspace marker, and no assertion would
trigger. It became visible with the previous commit for pointer-aligned
workspace sizes like the current page-aligned default values.

Initially caught by wssan from #3320.

Fixes #3319

bin/varnishd/cache/cache_vary.c

@@ -260,6 +260,15 @@ VRY_Finish(struct req *req, enum vry_finish_flag flg)
 {
 	uint8_t *p = NULL;
 
+	if (req->vary_b + 2 >= req->vary_e) {
+		AZ(req->vary_l);
+		req->vary_b = NULL;
+		req->vary_e = NULL;
+		WS_Release(req->ws, 0);
+		WS_MarkOverflow(req->ws);
+		return;
+	}
+
 	(void)VRY_Validate(req->vary_b);
 	if (flg == KEEP && req->vary_l != NULL) {
 		p = malloc(req->vary_l - req->vary_b);

bin/varnishtest/tests/r03319.vtc

+varnishtest "Vary handling out of workspace"
+
+varnish v1 -vcl {
+	import vtc;
+
+	backend be none;
+
+	sub vcl_recv {
+		vtc.workspace_alloc(client, vtc.workspace_free(client));
+	}
+
+	sub vcl_backend_fetch {
+		return (error(200));
+	}
+} -start
+
+client c1 {
+	txreq
+	rxresp
+	expect resp.status == 500
+} -run