ensure_extension() can write past the end of the reallocated filename buffer

GNU Wget's HTTP extension-adjustment helper ensure_extension() reallocates hs->local_file to local_filename_len + 24 + len, copies ext into the new tail with strcpy(), and then may overwrite the same tail with sprintf(hs->local_file + local_filename_len, ".%d%s", ext_num++, ext). The sizing logic assumes the extra 24 bytes always cover the numeric suffix, but the code writes into the same tail without a hard bound and relies on the extension length and numeric expansion staying small. This is a classic unchecked string-format write in a filename construction path.