date: cap format width to i32::MAX to prevent OOM

[sylvestre]

found by the fuzzer

[github-actions]

GNU testsuite comparison:

Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skip an intermittent issue tests/pr/bounded-memory (fails in this run but passes in the 'main' branch)
Congrats! The gnu test tests/misc/io-errors is no longer failing!

[github-actions]

GNU testsuite comparison:

GNU test failed: tests/date/date. tests/date/date is passing on 'main'. Maybe you have to rebase?
Skip an intermittent issue tests/date/date-locale-hour (fails in this run but passes in the 'main' branch)
Skipping an intermittent issue tests/tty/tty-eof (passes in this run but fails in the 'main' branch)
Congrats! The gnu test tests/misc/io-errors is no longer failing!
Note: The gnu test tests/pr/bounded-memory is now being skipped but was previously passing.
Note: The gnu test tests/seq/seq-epipe is now being skipped but was previously passing.

[collinfunk]

I'm a bit confused by this claim:

$ date -d 2024-01-01 "+r++%++8888888888r+%" | wc -c
8888888894
$ ./target/debug/date -d 2024-01-01 "+r++%++8888888888r+%" | wc -c
1006

[xtqqczze]

GNU date limit is about i64::MAX - 3, and it errors instead of capping output:

$ date --version
date (GNU coreutils) 9.10
$ date -d 2024-01-01 "+r++%++9223372036854775805r+%"
r++gdate: fprintftime error: Result too large

[xtqqczze]

Related: coreutils/gnulib@ec0649f

[sylvestre]

please don't share links to GNU's projects. The licenses are not compatible.

[xtqqczze]

Should we just error instead of capping width?

[xtqqczze]

There is still the issue that our implementation allocates too much memory for width of i32::MAX.

Since there is no reasonable use case anyway, we could cap or error at u16::MAX.