FmtStr with badbytes can return a payload that does not do its job

[Arusekk]

Proof of concept (does not work yet due to a separate bug with non-empty badbytes writing at a nonzero address):

>>> fmtstr_payload(6, {8: 0x55d15d2004a0}, badbytes=b'\n')
b'%1184c%13$lln%49c%14$hhn%51c%15$hn%81c%16$hhn%8c%17$hhna\x08\x00\x00\x00\x00\x00\x00\x00\x0c\x00\x00\x00\x00\x00\x00\x00\t\x00\x00\x00\x00\x00\x00\x00\r\x00\x00\x00\x00\x00\x00\x00\x0b\x00\x00\x00\x00\x00\x00\x00'

this can be worked around with passing e.g. overflows=255 to the function.