These functions can return NULL for otherwise-valid values of
time_t.  Notably, the glibc gmtime manpage says it can return NULL
if the year if greater than INT_MAX, and the windows MSDN gmtime
page says it can return NULL for negative time_t values.

Also, our formatting code is not guaranteed to correctly handle
years after 9999 CE.

This patch tries to correct this by detecting NULL values from
gmtime/localtime_r, and trying to clip them to a reasonable end of
the scale.  If they are in the middle of the scale, we call it a
downright error.

Arguably, it's a bug to get out-of-bounds dates like this to begin
with.  But we've had bugs of this kind in the past, and warning when
we see a bug is much kinder than doing a NULL-pointer dereference.

Boboper found this one too.