write_backup_file() can write before the end of a stack alloca buffer

In GNU Wget's link conversion path, write_backup_file() constructs a backup filename on the stack using alloca() and then uses strcpy() to append or rewrite a suffix. In the FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED branch, it allocates strlen(file)+1 bytes, copies the whole string, and then overwrites the last four bytes with 'orig' by doing strcpy((buf + len) - 4, "orig"). If the filename is shorter than expected or does not actually end in '.html', that pointer arithmetic writes outside the allocated stack buffer.