integer and buffer overflows: introduce safe_malloc_ary

When allocating an array, it is necessary to check that the
multiplication (to compute the size in bytes) does not overflow.

Do this in a new function safe_malloc_ary, which we call in both the
places where safe_malloc was previously used with an unchecked
multiplication.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>