C++: Fix missing bounds in range analysis

[MathiasVP]

This PR adds bounds for the following case:

void foo(char* p, unsigned index, char* end) {
  if(p + index < end) {
    use(*(p + index)); // <-- In here we now know that `p + index` is bounded by `end`
  }
}

This is motivated by CVE-2016-10160, and the first commit adds a reduced version of that vulnerability (and indeed after this PR we correctly identify this CVE).

The reason we didn't find the issue in the first commit is as follows:

Currently, on main, the range-analysis library didn't spot that the pointer-arithmetic expression p + index in the p + index > end guard is identical to the one being used for the store operation in p[index] = '\0', and so we didn't realize that there's an off-by-one error here.

In contrast, when we're storing the result of the pointer-arithmetic expression in a local variable q, we correctly catch this.

The second commit fixes this by generating a new SSAVariable representing pointer-arithmetic expressions appearing in guards, and using GVN to connect the p + index in the guard with the pointer-arithmetic expression computing the address of p[index].

(And for completeness: The last commit accepts the test changes.)