fix shf.c-internal buffer overread on printing digits,

introduced by the utf_skipcols()-related fixes, more
specifically the check for combining multibyte characters
past end of given width (bogus mixed-up semantics we have here)
by reïntroducing the NUL byte from commitid 1005474EE1E4024A4E4

shf.c

@@ -25,7 +25,7 @@
 
 #include "sh.h"
 
-__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.73 2016/05/05 22:56:15 tg Exp $");
+__RCSID("$MirOS: src/bin/mksh/shf.c,v 1.74 2016/05/17 15:36:35 tg Exp $");
 
 /* flags to shf_emptybuf() */
 #define EB_READSW	0x01	/* about to switch to reading */
@@ -774,7 +774,7 @@ shf_vfprintf(struct shf *shf, const char *fmt, va_list args)
 	size_t field, precision, len;
 	unsigned long lnum;
 	/* %#o produces the longest output */
-	char numbuf[(8 * sizeof(long) + 2) / 3 + 1];
+	char numbuf[(8 * sizeof(long) + 2) / 3 + 1 + /* NUL */ 1];
 	/* this stuff for dealing with the buffer */
 	ssize_t nwritten = 0;
 
@@ -914,6 +914,7 @@ shf_vfprintf(struct shf *shf, const char *fmt, va_list args)
  integral:
 			flags |= FL_NUMBER;
 			cp = numbuf + sizeof(numbuf);
+			*--cp = '\0';
 
 			switch (c) {
 			case 'd':
@@ -964,7 +965,7 @@ shf_vfprintf(struct shf *shf, const char *fmt, va_list args)
 				}
 			    }
 			}
-			len = numbuf + sizeof(numbuf) - (s = cp);
+			len = numbuf + sizeof(numbuf) - 1 - (s = cp);
 			if (flags & FL_DOT) {
 				if (precision > len) {
 					field = precision;