refactor: cleaner bounds check in utf8.js deLoose

[Copilot]

The deLoose function searches for UTF-8 replacement character sequences (0xEF 0xBF 0xBD) but had an off-by-one error allowing out-of-bounds reads.

Changes

• utf8.js: Fixed bounds check when searching for 3-byte replacement sequence
  • Changed last = res.length - 2 → last = res.length - 3 (last valid position to read 3 consecutive bytes)
  • Changed loop condition start < last → start <= last
  • Added pos > last guard after indexOf to prevent OOB access when 0xEF found near array end

// Before: when pos = res.length - 2, accessing res[pos + 2] reads res[res.length]
const last = res.length - 2
while (start < last) {
  const pos = res.indexOf(0xef, start)
  if (pos === -1) break
  if (res[pos + 1] === 0xbf && res[pos + 2] === 0xbd) { // OOB possible

// After: safe bounds for 3-byte sequence access
const last = res.length - 3
while (start <= last) {
  const pos = res.indexOf(0xef, start)
  if (pos === -1 || pos > last) break
  if (res[pos + 1] === 0xbf && res[pos + 2] === 0xbd) { // always in bounds

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Review the codebase and identify mistakes</issue_title>
<issue_description>Ignore tests/wpt and other vendored tests

Note: wif using synchronous path for async implementation is not an issue, it's done for perf, as underlying method is always sync (again, for perf).

Pay close attention to corner cases

Ignore utf-32 for now, it's not yet shipped and is incomplete.</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Review the codebase and identify mistakes #43

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[ChALkeR]

This has no real effect but makes sense for code clarity