Prevent TOCTTOU bugs in C ports

* libguile/ports-internal.h (scm_port_buffer_can_take):
  (scm_port_buffer_can_put): Add cur/end output arguments so that when a
  caller asks the buffer room, it can be relative to a fixed point in
  the buffer and not whatever point it's at when we go to fill it.
  (scm_port_buffer_did_take, scm_port_buffer_did_put): Similarly,
  require that the caller knows where they took/put data in the buffer.
  Prevents overflow.
  (scm_port_buffer_take_pointer, scm_port_buffer_put_pointer): Likewise,
  require that the caller has already checked and knows a position in
  the buffer and therefore how much data is available.
  (scm_port_buffer_take, scm_port_buffer_put, scm_port_buffer_putback):
  Adapt.
* libguile/ports.h (scm_fill_input): Add cur/avail output arguments.
* libguile/filesys.c:
* libguile/poll.c:
* libguile/ports.c:
* libguile/r6rs-ports.c:
* libguile/read.c:
* libguile/rw.c: Adapt all callers.  Gnarly work!

libguile/filesys.c

@@ -647,20 +647,21 @@ set_element (fd_set *set, SCM *ports_ready, SCM element, int pos)
   else
     {
       int use_buf = 0;
+      size_t cur;
 
       element = SCM_COERCE_OUTPORT (element);
       SCM_ASSERT (SCM_OPFPORTP (element), element, pos, "select");
       if (pos == SCM_ARG1)
 	{
 	  /* Check whether port has input buffered.  */
-	  if (scm_port_buffer_can_take (SCM_PORT (element)->read_buf) > 0)
+	  if (scm_port_buffer_can_take (SCM_PORT (element)->read_buf, &cur) > 0)
 	    use_buf = 1;
 	}
       else if (pos == SCM_ARG2)
 	{
 	  /* Check whether port's output buffer has room.  > 1 since
              writing the last byte in the buffer causes flush.  */
-	  if (scm_port_buffer_can_put (SCM_PORT (element)->write_buf) > 1)
+	  if (scm_port_buffer_can_put (SCM_PORT (element)->write_buf, &cur) > 1)
 	    use_buf = 1;
 	}
       fd = use_buf ? -1 : SCM_FPORT_FDES (element);