An assertion GUF_ASSERT(str_is_valid(dst)) failed in guf_str_copy when it called guf_str_cstr(dst)
since guf_str_cstr assumes an already valid string, which was not the case when src was a short string.
Therefore, we get the dst's c_str now without calling guf_str_cstr(dst)
(Found by writing DbufStrTest.)
Expressions like
(uin16_t)a * (uint16_t)b * (uint16_t)c
might be promoted to (signed) int (in that example, on platforms where sizeof(int) > sizeof(uint16_t)),
and therefore lead to undefined behaviour on overflow.
The above expression can be fixed as
1u * (uint16_t)a * (uint16_t)b * (uint16_t)c
(The 1u makes sure a, b, and c would be promoted to unsigned int (instead of int) on platforms where sizeof(int) > sizeof(uint16_t))
cf. https://stackoverflow.com/questions/27001604/32-bit-unsigned-multiply-on-64-bit-causing-undefined-behavior
