Fix Mac build without OpenSSL

If OpenSSL is disabled on Mac the SHA1 implementation goes
to the CommonCrypto from the system. In this case we should
not include the generic hash impl. Otherwise there would be
duplicated impls which fail the build.

Remove extra semicolon outside of a function

Without this change, compiling with gcc and pedantic generates warning:
ISO C does not allow extra ‘;’ outside of a function.

merge: lock index during the merge (not just checkout)

allocations: test for overflow of requested size

Fixups for rebase

Provide git_indexwriter_init_for_operation for the common locking
pattern in merge, rebase, revert and cherry-pick.

Always lock the index when we begin the merge, before we write
any of the metdata files.  This prevents a race where another
client may run a commit after we have written the MERGE_HEAD but
before we have updated the index, which will produce a merge
commit that is treesame to one parent.  The merge will finish and
update the index and the resultant commit would not be a merge at
all.

Introduce `git_indexwriter`, to allow us to lock the index while
performing additional operations, then complete the write (or abort,
unlocking the index).

Correct the merge failed cleanup test.  Merge data should not be
cleaned up on conflicts, only on actual failure.  And ORIG_HEAD
should not be removed at all.

Switch to a standard branch-switching pattern of a `SAFE` checkout,
then updating `HEAD`.

Don't require the branch to rebase, if given `NULL`, simply look up
`HEAD`.

Users may want to try to pay attention to the `exec` field on all
rebase operations.

win32: limit the mode to `_wopen`/`_waccess`

gcc and clang support __builtin_add_overflow, use it whenever
possible, falling back to our naive routines.

Make our overflow checking look more like gcc and clang's, so that
we can substitute it out with the compiler instrinsics on platforms
that support it.  This means dropping the ability to pass `NULL` as
an out parameter.

As a result, the macros also get updated to reflect this as well.

Win32 generally ignores Unix-like mode bits that don't make any
sense on the platform (eg `0644` makes no sense to Windows).  But
WINE complains loudly when presented with POSIXy bits.  Remove them.

(Thanks @phkelley)

Reinit `reader` pointer after reading included config file

Fix build warning on Android

https://github.com/attractivechaos/klib/pull/42/files introduces
`kreallocarray`.  Hook that up as our `git__reallocarray`.

Add some helper functions to check for overflow in a type-specific
manner.

Ensure that the given length to `p_read` is of ssize_t and ensure
that callers test the return as if it were an `ssize_t`.

Use `size_t` to hold the size of arrays to ease overflow checking,
lest we check for overflow of a `size_t` then promptly truncate
by packing the length into a smaller type.

Have the ALLOC_OVERFLOW testing macros also simply set_oom in the
case where a computation would overflow, so that callers don't
need to.

Introduce `git_buf_grow_by` to incrementally increase the size of a
`git_buf`, performing an overflow calculation on the growth.

Introduce git__reallocarray that checks the product of the number
of elements and element size for overflow before allocation.  Also
introduce git__mallocarray that behaves like calloc, but without the
`c`.  (It does not zero memory, for those truly worried about every
cycle.)

Introduce some helper macros to test integer overflow from arithmetic
and set error message appropriately.

Always do a time_t cast on st_mtime. st_mtime on Android is not
the type of time_t but has the same meaning which is the number
of seconds past epoch.

Check rebase options version on public entry points

Fixes #2869. If included file includes more files, it may reallocate
cfg_file->readers, hence invalidate not only `r` pointer, but `result`
pointer as well.

It fails at least on my computer, though it may depend on some unpredictable
factors (say, will realloc() extend the memory segment in place, or it will
allocate new memory).