pwd: fix heap buffer overflow in file_name_prepend

pwd: fix heap buffer overflow in file_name_prepend

file_name_prepend works by right-aligning path data in a growing buffer.
When the buffer is too small, it then allocates a new buffer via
xpalloc() and copies existing data to the end of the new buffer.

Unfortunately, the memcpy destination is computed as buf + p->n_alloc -
n_free, but xpalloc has already updated p->n_alloc to the new (larger)
allocation size while n_free still reflects the old state. This places
the data at too high an offset, writing past the end of the buffer.

Update to properly calculate the destination offset.

Fixes: v9.5-171-g61ab25c35 ("pwd: prefer xpalloc to xnrealloc")