Here are some strings representing valid refs:
app/org.test.App/x86_64/stable - full ref
org.test.App/x86_64/stable - full ref without prefix
org.test.App - only app ID
org.test.App/x86_64 - only app ID and arch
org.test.App//stable - only app ID and branch
Therefore, if a ref's prefix (ie., 'app/' or 'runtime/) is skipped,
then there can only be a maximum of 3 other elements in it.
Right now, it's possible for find_current_element() to return a count
of 4, if the string being completed is invalid and has some extra
elements or slashes in it. This count is later used to index the
cur_parts array which only has 4 elements in it. This opens up the
possibility of a buffer overrun.
Invalid strings with extra elements or slashes can't be further
completed because none of the existing refs will match them.
Therefore, such strings should be outright skipped.
For the rest of the valid strings, the exact intended branch name is
never known, because the branch element doesn't have a trailing slash
and hence appears to be a prefix. Therefore, it's not possible to use
the branch to find a list of existing refs that could possibly
complete the string.
Fallout from 7018717ce2
52d10816c7