Follow-up: unsafe .orig suffix construction in convert.c/http.c

Wget builds derived filenames by allocating a stack buffer with alloca() and then copying attacker-influenced or file-derived strings into it with strcpy(), followed by an overwrite near the end of the buffer to append or replace the ".orig" suffix. The code assumes the computed alloca size and the source length always match the actual write pattern, but this pattern is fragile and easy to get wrong across the two branches that build "filename_plus_orig_suffix" and "hs->local_file". It is a recurring unsafe string-construction pattern in the download/conversion path.