CVE-2021-3999: glibc getcwd() off-by-one buffer underflow + missing bounds check

glibc before 2.35 has two related vulnerabilities in its getcwd() implementation:

1. MISSING BOUNDS CHECK (sysdeps/unix/sysv/linux/getcwd.c, line 82): After calling the Linux kernel getcwd syscall, __getcwd checks if (retval > 0 && path[0] == '/') but NEVER verifies (size_t) retval <= alloc_size. Through a race condition (concurrent directory rename / mount namespace manipulation), the kernel can return retval > alloc_size, meaning it wrote more bytes than the allocated buffer — a heap overflow. glibc blindly returns this corrupted buffer.

2. OFF-BY-ONE BUFFER UNDERFLOW (sysdeps/posix/getcwd.c, lines 449-450): In __getcwd_generic, after the while loop traverses to root, if (dirp == &dir[allocated - 1]) *--dirp = '/';. When allocated==1 (size==1 passed), dirp is at dir[0], so *--dirp writes '/' ONE BYTE BEFORE the buffer.