As with the previous commit, when getting a child from a serialised
tuple, check its offset against the length of the serialised data of the
tuple (excluding the length of the offset table). The offset was already
checked against the length of the entire serialised tuple (including the
offset table) — but a child should not be able to start inside the
offset table.

A test is included.

oss-fuzz#9803

Signed-off-by: Philip Withnall <withnall@endlessm.com>