> may wish to operate on entire codepoints instead of always checking for potential end of buffer mid-decoding
That sounds like the sort of reasoning that results in compiler bugs like:
thing_t* nextp=p+1;
// other declarations for this function
if(!p) abort_thing("null pointer"); // optimised out
/* CVE-20XX-#####: user-space code can compromise kernel $THING if it mmap()s $STUFF at address zero */
That sounds like the sort of reasoning that results in compiler bugs like: