Buffer corruption with evbuffer_{reserve,commit}_space #778
Description
While fuzzing Envoy's buffer implementation, we hit a scenario in which it looks like two segments on the buffer chain get swapped. This is similar to #774 (it might be the same underlying issue), but happens with no owned reference buffers or empty prepends, instead via reserve-commit of buffer space.
The reproducer is described in ChunkSwapCorruption at https://github.com/envoyproxy/envoy/pull/6062/files#diff-811b2195c4583ef0289720708f9f824eR27. This example has been hand minified from as 12KB fuzzer example, I'm not sure if there is anything more minimal I can provide without some whitebox deep diving.