Content-Disposition RFC 2231 filename accumulation uses unchecked integer lengths

In wget's HTTP Content-Disposition parser, filename fragments from RFC 2231/2237 style parameters are concatenated into a heap string. The code computes the new allocation size with int arithmetic based on strlen() and the fragment length, then reallocates and memcpy's that many bytes. An attacker-controlled header with many large fragments can drive signed integer overflow or an undersized allocation, turning the append into a heap overflow or crash.