ffs_reallocblks(): ensure that pref cg is valid

ffs_blkpref_ufsX() must return in-range pref frag number, otherwise
calculated cg index is out of range for fs, causing out of range
accesses to the structures sized by the number of cg, e.g. the
fs_maxcluster[] array in ffs_clusteralloc().

The easiest way to trigger it is to overflow the volume.

In collaboration with: pho
Reviewed by: mckusick
Sponsored by: The FreeBSD Foundation
MFC afer: 1 week
Differential revision: https://reviews.freebsd.org/D48378