Wget HTML extension adjustment reallocates too little for collision suffix loop

In src/http.c, ensure_extension() grows hs->local_file by local_filename_len + 24 + len, then writes ext with strcpy and may later iterate sprintf into the same suffix area while probing for an unused filename. The allocation margin is fixed and the write location is reused for '.NUMBER' collisions, so a long base filename combined with repeated collision probing can overrun the resized buffer.