Fix more overflow checks, off-by-ones and missing NUL terminators in xmlBuf and xmlBuffer

In broad strokes, this does the following:
- Do not include the NUL terminator byte for lengths returned
  from functions.  This lets functions be more defensive.
- Set error messages when returning early due to out-of-memory
  or buffer-too-large errors.
- Set NUL terminator consistently on buffer boundaries before
  returning.
- Add a few more integer overflow checks.

* buf.c:
(xmlBufGrowInternal):
- Do not include NUL terminator byte when returning length.
- Always set NUL terminator at the end of the new buffer length
  before returning.
- Call xmlBufMemoryError() when the buffer size would overflow.
- Account for NUL terminator byte when using XML_MAX_TEXT_LENGTH.
- Always set NUL terminator at the end of the current buffer
  after resizing the buffer.
(xmlBufAddLen):
- Return an error if the buffer does not have free space for the
  NUL terminator byte.
(xmlBufAvail):
- Do not include the NUL terminator byte in the length returned.
  (See changes to encoding.c and xmlIO.c.)
(xmlBufResize):
- Move setting of NUL terminator to common code.  More than one
  path through the function failed to set it.
(xmlBufAdd):
- Call xmlBufMemoryError() when the buffer size would overflow.

* encoding.c:
(xmlCharEncFirstLineInput):
(xmlCharEncInput):
(xmlCharEncOutput):
- No longer need to subtract one from the return value of
  xmlBufAvail() since the function does this now.

* testchar.c:
(testCharRanges):
- Pass the string length without the NUL terminator.

* tree.c:
(xmlBufferGrow):
- Do not include NUL terminator byte when returning length.
- Always set NUL terminator at the end of the new buffer length
  before returning.
- Call xmlTreeErrMemory() when the buffer size would overflow.
- Always set NUL terminator at the end of the current buffer
  after resizing the buffer.
(xmlBufferDump):
- Change type of the return variable to match fwrite().
- Clamp return value to INT_MAX to prevent overflow.
(xmlBufferResize):
- Update error message in xmlTreeErrMemory() to be consistent
  with other similar messages.
- Move setting of NUL terminator to common code.  More than one
  path through the function failed to set it.
(xmlBufferAdd):
- Call xmlTreeErrMemory() when the buffer size would overflow.
(xmlBufferAddHead):
- Set NUL terminator before returning early when shifting
  contents.
- Add overflow checks similar to those in xmlBufferAdd().

* xmlIO.c:
(xmlOutputBufferWriteEscape):
- No longer need to subtract one from the return value of
  xmlBufAvail() since the function does this now.