bash mailstat.c uses sprintf/strcpy on user-controlled path leading to stack buffer overflow

In lib/sh/mailstat.c (GNU Bash), mailstat() constructs paths using sprintf into fixed-size stack buffers (dir,file) sized PATH_MAX*2. It checks strlen(path) but then uses sprintf without verifying remaining space and later uses strcpy(file+l, fn->d_name) where l is derived from constructed dir string; only the d_name length is checked, but the earlier sprintf(file, "%s/", dir) and sprintf(dir, "%s/%s", ...) do not bound writes against sizeof(dir)/sizeof(file). An attacker controlling the mailbox path or directory entries can trigger stack-based buffer overflow.