CVE-2019-5953: heap buffer overflow in wget iri.c do_conversion

Buffer overflow in GNU Wget 1.20.1 in src/iri.c do_conversion(). The function url-unescapes input then iconv-converts it into a buffer sized inlen*2. Two flaws: (1) EILSEQ/EINVAL branch (lines 175-187) does **out=*in;(out)++;outlen-- without first checking outlen>0, so if iconv had consumed all output space and then errored on the next byte, the write overflows by one and outlen (size_t) underflows to SIZE_MAX, after which the next iconv call writes attacker-controlled bytes far past the heap buffer. (2) E2BIG realloc branch (lines 188-195) sets len=outlen=done+inlen2 after realloc and *out=s+done; actual remaining space from out is only inlen2, so outlen is over-reported by 'done' bytes and iconv may write 'done' extra bytes past the buffer end. Reachable from remote_to_utf8 / idn_encode / idn_decode applied to attacker-controlled URL components — matches briefing 'URL handling when processing encoded characters' and 'interactions between URL decoding and buffer allocation.'