[Runtime] Use the properly resolved tag when adding offset after resolving relative pointers in layout strings

The tag was overwritten after resolve when a prior field caused a non-zero offset. This then caused the runtime to treat is a relative instead of an absolute pointer, causing invalid pointers to be dereferenced.

stdlib/public/runtime/Metadata.cpp

@@ -2827,9 +2827,9 @@ void swift::_swift_addRefCountStringForMetatype(LayoutStringWriter &writer,
       }
 
       if (offset) {
+        LayoutStringReader tagReader {writer.layoutStr, writer.offset};
         auto writerOffsetCopy = writer.offset;
-        reader.offset = layoutStringHeaderSize;
-        auto firstTagAndOffset = reader.readBytes<uint64_t>();
+        auto firstTagAndOffset = tagReader.readBytes<uint64_t>();
         firstTagAndOffset += offset;
         writer.writeBytes(firstTagAndOffset);
         writer.offset = writerOffsetCopy;