CVE-2019-5953: wget 1.20.1 heap buffer overflow in reencode_escapes() URL handling

CVE-2019-5953 is a heap buffer overflow in wget 1.20.1's reencode_escapes() function in src/url.c (lines 406-449). The function processes URL-encoded characters using a two-pass algorithm: first pass counts characters needing encoding using the context-sensitive char_needs_escaping() function, allocates a buffer of size (oldlen + 2*encode_count), then the second pass encodes. The vulnerability involves interactions between URL decoding and buffer allocation: char_needs_escaping() is context-sensitive for '%' characters (peeks at *(p+1) and *(p+2)), and all length calculations use 'int' type variables (int oldlen, newlen, encode_count). A specially crafted URL with specific patterns of '%' characters can cause the buffer to be allocated too small, leading to a heap overflow in the second pass. The function is called in url_parse() with attacker-controlled input from HTTP Location: redirect headers.