Limit argc to between 0 and 1000 to prevent fatal from MSG_COMMAND, from

Michal Majchrowicz.

cmd.c

@@ -304,6 +304,8 @@ cmd_unpack_argv(char *buf, size_t len, int argc, char ***argv)
 
 	if (argc == 0)
 		return (0);
+	if (argc < 0 || argc > 1000)
+		return (-1);
 	*argv = xcalloc(argc, sizeof **argv);
 
 	buf[len - 1] = '\0';