Fails on empty comments without 4 -"

The parser was crashing because of bad slice bounds

Closes tafia#604

Changelog.md

@@ -18,12 +18,13 @@
 
 ### Bug Fixes
 
-### Misc Changes
+- [#618]: Avoid crashing on wrong comments `<!-->`.
 
+### Misc Changes
 
 [#609]: https://github.com/tafia/quick-xml/pull/609
 [#615]: https://github.com/tafia/quick-xml/pull/615
-
+[#618]: https://github.com/tafia/quick-xml/pull/618
 
 ## 0.29.0 -- 2023-06-13
 

src/reader/parser.rs

@@ -100,6 +100,10 @@ impl Parser {
                         return Err(Error::UnexpectedToken("--".to_string()));
                     }
                 }
+                if len < 5 {
+                    // We do not have any text content
+                    return Err(Error::UnexpectedToken("<!-->".to_string()));
+                }
                 Ok(Event::Comment(BytesText::wrap(
                     &buf[3..len - 2],
                     self.decoder(),

tests/fuzzing.rs

@@ -60,3 +60,29 @@ fn fuzz_empty_doctype() {
     ));
     assert_eq!(reader.read_event_into(&mut buf).unwrap(), Event::Eof);
 }
+
+#[test]
+fn fuzz_empty_comment() {
+    let data = b"<?xml version=\"1.0\" encoding=\"utf-8\"?><!-->";
+    let mut reader = Reader::from_reader(data.as_slice());
+    let mut buf = Vec::new();
+    loop {
+        match reader.read_event_into(&mut buf) {
+            Ok(Event::Eof) => break,
+            _ => (),
+        }
+    }
+}
+
+#[test]
+fn fuzz_empty_comment2() {
+    let data = b"<?xml version=\"1.0\" encoding=\"utf-8\"?><!--->";
+    let mut reader = Reader::from_reader(data.as_slice());
+    let mut buf = Vec::new();
+    loop {
+        match reader.read_event_into(&mut buf) {
+            Ok(Event::Eof) => break,
+            _ => (),
+        }
+    }
+}