Stack buffer overflow in write_backup_file when replacing .html with .orig

wget's HTML conversion path constructs a backup filename in write_backup_file(). When downloaded_file_return indicates FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, it allocates alloca(filename_len + 1), copies the whole filename, then writes "orig" starting at (filename_plus_orig_suffix + filename_len) - 4. For a short filename this writes before the allocated buffer; even for a normal .html filename the allocation does not reserve space for the extra NUL terminator after rewriting. The bug is reachable from the HTTP download path that records ADDED_HTML_EXTENSION and later triggers the .orig backup rename during convert_all_links().