Wget adjust-extension path appends into heap buffer with fixed slack

In Wget's HTTP downloader, the --adjust-extension path mutates hs->local_file in place. ensure_extension() reallocates the filename buffer to local_filename_len + 24 + len and then appends the extension with strcpy(); when noclobber is active it uses sprintf() into the same tail for ".%d%s". This is a brittle heap-tail write pattern where safety depends on an implicit fixed-size slack assumption.