The final possible iteration of the for loop is with i = 126
since the test at the top of the loop is i < PROMPTLEN - 1.
If we take the default case of the switch that handles
*fmt == '\\', we will always take the true branch of the
if (i < PROMPTLEN - 1). That will increment i to 127, and
when we jump back to the top of the loop, i will get incremented
to 128 and we will overflow the ps[] array when storing the
final NUL. Fix this by changing the test in the default case
to (i < PROMPTLEN - 2).