My branch bug21018_024 has the fix. From the changes file:
+ - Fix a bug in parsing that could cause clients to read a single+ byte past the end of an allocated region. This bug could be+ used to cause hardened clients (built with+ --enable-expensive-hardening) to crash if they tried to visit+ a hostile hidden service. Non-hardened clients are only+ affected depending on the details of their platform's memory+ allocator. Fixes bug 21018; bugfix on 0.2.0.8-alpha. Found by+ using libFuzzer. Also tracked as TROVE-2016-12-002 and as+ CVE-2016-1254.
Trac: Summary: TROVE-2016-12-002 to TROVE-2016-12-002: read one byte past end of buffer in get_token() Resolution: N/Ato fixed Status: needs_review to closed