Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string

Our own printf() replacement clearly can't properly handle %.*s with a
string that isn't zero terminated. Instead of fixing the printf code or
even figuring out what the proper posix behavior is, I reverted this
piece of the code back to the previous version where it does malloc +
memcpy instead.

Regression added in e839446c2a, released in curl 7.32.0.

Reported-by: Felix Yan
Bug: http://curl.haxx.se/bug/view.cgi?id=1295

lib/sslgen.c

@@ -611,6 +611,9 @@ int Curl_ssl_init_certinfo(struct SessionHandle * data,
   return 0;
 }
 
+/*
+ * 'value' is NOT a zero terminated string
+ */
 CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,
                                     int certnum,
                                     const char *label,
@@ -621,12 +624,22 @@ CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,
   char * output;
   struct curl_slist * nl;
   CURLcode res = CURLE_OK;
+  size_t labellen = strlen(label);
+  size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */
 
-  /* Add an information record for a particular certificate. */
-  output = curl_maprintf("%s:%.*s", label, valuelen, value);
+  output = malloc(outlen);
   if(!output)
     return CURLE_OUT_OF_MEMORY;
 
+  /* sprintf the label and colon */
+  snprintf(output, outlen, "%s:", label);
+
+  /* memcpy the value (it might not be zero terminated) */
+  memcpy(&output[labellen+1], value, valuelen);
+
+  /* zero terminate the output */
+  output[labellen + 1 + valuelen] = 0;
+
   nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
   if(!nl) {
     free(output);