log: expand each message once before handing it to backends

[janry]

log_t::custom_fatal passed its buffer to ::syslog(LOG_ERR, buffer) as
the format argument. By then log_t::fatal had already expanded the
caller's format with vsprintf, so any % directives still present in
the text — for example from a %s argument holding bytes read from a
file — were interpreted a second time by syslog with no further
arguments to consume. scenario_t::rdwr reaches this with
savegame-controlled data: it formats the persistent-data string with
%s into a fatal message. The effect ranges from garbled output to a
read of unintended memory; %n could in principle write, though many
libc builds reject it in a writable format string. It only applies
when compiled with SIMUTRANS_USE_SYSLOG and run with -syslog.

The vsyslog branches in pakset/debug/message/warning/error and the
matching __android_log_vprint branches concatenate the caller's
format into another format string the same way. Every current caller
passes a string literal, so these are not known to be reachable, but
the shape is easy to misuse later.

Each logger now expands (format, ...) once into a cbuffer_t and hands
the result to log, tee, syslog and android as a "%s" argument. While
here, log_t::fatal's two static buffers become locals so a re-entrant
fatal cannot overwrite them, and warning's Android line is labelled
"Warning:" instead of "Debug:".