BUG/MAJOR: buf: fix varint API post- vs pre- increment

A bogus test in b_get_varint(), b_put_varint(), b_peek_varint() shifts
the end of the buffer by one byte. Since the bug is the same in the read
and write functions, the buffer contents remain compatible, which explains
why this bug was not detected earlier. But if the buffer ends on an
aligned address or page, it can result in a one-byte overflow which will
typically cause a crash or an inconsistent behavior.

This API is only used by rings (e.g. for traces and boot messages) and
by DNS responses, so the probability to hit it is extremely low, but a
crash on boot was observed.

This must be backported to 2.2.

(cherry picked from commit dd362b7b24ea24d8f3c882dab1a69cf78af7cc90)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/include/haproxy/buf.h b/include/haproxy/buf.h
index a0e1cb8..6cfd9d3 100644
--- a/include/haproxy/buf.h
+++ b/include/haproxy/buf.h
@@ -699,7 +699,7 @@
 		v = (v - 0xF0) >> 4;
 
 		while (1) {
-			if (tail++ == wrap)
+			if (++tail == wrap)
 				tail -= size;
 			data++;
 			if (v < 0x80)
@@ -734,7 +734,7 @@
 		v = (v - 0xF0) >> 4;
 
 		while (1) {
-			if (tail++ == wrap)
+			if (++tail == wrap)
 				tail -= size;
 			data++;
 			if (data == size || v < 0x80)
@@ -773,7 +773,7 @@
 		v = *head;
 		bits += 4;
 		while (1) {
-			if (head++ == wrap)
+			if (++head == wrap)
 				head -= size;
 			data--;
 			if (!data || !(*head & 0x80))
@@ -815,7 +815,7 @@
 		v = *head;
 		bits += 4;
 		while (1) {
-			if (head++ == wrap)
+			if (++head == wrap)
 				head -= size;
 			data--;
 			if (!data || !(*head & 0x80))