Safety: in vstream_buf_space(), add a sanity check to reject
negative request sizes, instead of letting the program fail
later. File: util/vstream.c

Bugfix: in tests that enable the VSTRING_FLAG_EXACT flag,
vstring_buf_put_ready() could fail to extend the buffer,
causing infinite recursion in VBUF_PUT(). File: util/vstring.c.

Bugfix: in vbuf_print(), save the parser-produced format
string before calling msg_panic(), so that the panic message
will not display its own format string. File: util/vbuf_print.c.

Portability (introduced Postfix 1.0): possible cause for
panic in postqueue when listing the deferred queue. This
assigned the result from unsigned integer subtraction to a
signed integer, followed by a safety check to ensure that
the result was non-negative. This assignment relied on
undefined behavior, meaning that a compiler may eliminate
the safety check, causing the program to fail later. File:
postqueue/showq_compat.c.

Safety: restore sanity checks for dynamically-specified
width and precision in format strings (%*, %.*, and %*.*).
These checks were lost with the Postfix 3.2.2 rewrite of
the vbuf_print formatter. File: vbuf_print.c.