wget construct_relative() signed int length arithmetic can overflow leading to heap overflow

wget/src/convert.c function construct_relative() uses signed int for basedirs and does allocation size calculation as 3 * basedirs + strlen(linkfile) + 1 with no overflow checks. If attacker-influenced paths (remote URLs/local_name) create large directory counts/lengths, the signed arithmetic can overflow and xmalloc may allocate too little memory, after which memcpy/strcpy write past the end of the heap buffer.