Bounds-checked allocation followed by unsafe sprintf/strcpy in path composition

In Wget's path-building code, several routines allocate a buffer based on computed lengths and then immediately fill it with sprintf()/strcpy() using user-influenced path fragments. If the length arithmetic is wrong or a later path component is larger than expected, the write can overrun the heap buffer and corrupt memory.