Off-by-length stack overflow in convert_basename/write_backup_file path

The HTML conversion backup path in [REDACTED] allocates alloca(filename_len + 1), copies the whole filename, then rewrites a suffix with strcpy((filename_plus_orig_suffix + filename_len) - 4, "orig"). This is only safe if the input is at least four bytes longer than the rewrite point and the buffer was sized for the final string, which it is not. Short filenames overflow the stack; the same branch is reached from the HTTP path that marks downloaded files with ADDED_HTML_EXTENSION and later triggers backup creation during convert_all_links().