Fix unsigned underflow in buffer_check_append_limits()

Same pattern as buffer_check_limits() fix: when buf->used exceeds
buf->writable_size, the unsigned subtraction wraps to a large value,
bypassing the bounds check and taking the fast path without
validation. Add used > writable_size guard before the subtraction.

Author: kodareef5

src/lib/buffer.c

@@ -129,7 +129,8 @@ buffer_check_append_limits(struct real_buffer *buf, size_t data_size)
 	   If it does, we don't even need to memset() the dirty buffer since
 	   it's going to be filled with the newly appended data. */
 #ifndef DEBUG_FAST
-	if (buf->writable_size - buf->used < data_size)
+	if (buf->used > buf->writable_size ||
+	    buf->writable_size - buf->used < data_size)
 		buffer_check_limits(buf, buf->used, data_size);
 	else
 		buf->used += data_size;