Check for format-string based security holes

[ajps]

Look for more security holes like the ones fixed in r1437 where we're passing an "insecure" string directly to a formatting function instead of ("%s", string).

And then fix them.

[morth]

Adding printf format attributes to z-form.h find these errors:

cmd1.c: In function ‘py_pickup_gold’: cmd1.c:168: warning: format ‘%ld’ expects type ‘long int’, but argument 4 has type ‘s32b’

cmd5.c: In function ‘get_spell’: cmd5.c:294: warning: unknown conversion type character ‘^{’ in format cmd5.c:294: warning: unknown conversion type character ‘}’ in format cmd5.c:369: warning: unknown conversion type character ‘^{’ in format}

cmd5.c: In function ‘browse_spell’: cmd5.c:456: warning: unknown conversion type character ‘^{’ in format cmd5.c:463: warning: unknown conversion type character ‘}’ in format

monster/monster1.c: In function ‘output_desc_list’: monster/monster1.c:69: warning: unknown conversion type character ‘^{’ in format}

x-spell.c: In function ‘get_spell_info’: x-spell.c:227: warning: spurious trailing ‘%’ in format x-spell.c: In function ‘get_spell_info’: x-spell.c:227: warning: spurious trailing ‘%’ in format

The caret is the uppercase conversion marked with "mega-hack", and it caused some follow up errors that I've filtered out. But cmd1.c and x-spell.c are real errors, the former most serious since it will break on 64 bit platforms.

[takkaria]

I've fixed those last two. We should maybe look at ways to include the format string markers all the time and avoid using the Angband-specific bits to avoid this kind of problem. Bumping to 3.1.2 now.