Wget convert.c can overflow alloca-backed backup filename for short base names

In the HTML/CSS link-conversion path, Wget builds a temporary backup filename in write_backup_file(). When downloaded_file_return == FILE_DOWNLOADED_AND_HTML_EXTENSION_ADDED, it allocates alloca(filename_len + 1), copies the original name, then overwrites four bytes at (filename_plus_orig_suffix + filename_len) - 4 with "orig". That assumes the original filename already ends in ".html" and is at least 4 bytes longer than the suffix being replaced. For short or unexpected local filenames, this pointer arithmetic can write before the allocated buffer, causing stack corruption. The same function also uses alloca-based length construction with unchecked strcpy/sprintf patterns.