Fix out-of-bounds read in serialno matching logic
We very carefully ensured _cur_link + 1 was in bounds, and then dereferenced nlinks + 1 (guaranteed to be out of bounds) instead. Introduced in commit f83675eb.
Thanks to the Google Autfuzz project for the report.
Fixes #2326