CVE-2017-13089: wget skip_short_body stack overflow via negative chunked transfer encoding size

In wget before 1.19.2, the function skip_short_body in src/http.c (lines 945-1020) contains a stack buffer overflow when processing HTTP chunked transfer encoding responses. The vulnerability occurs when a malicious server sends a chunk size with a leading minus sign (e.g., -1a\r\n). The strtol(line, &endl, 16) call at line 973 parses this as -26 (negative). The check if (remaining_chunk_size == 0) does NOT catch negative values. Then contlen = MIN(-26, 512) = -26, and fd_read(fd, dlbuf, MIN(-26, 512), -1) = fd_read(fd, dlbuf, -26, -1) is called. The negative int is passed to read()/gnutls_record_recv() as a huge size_t, causing data to be read into the 513-byte dlbuf[SKIP_SIZE+1] stack buffer far beyond its bounds. This affects the 'skip redirect body' code path when wget encounters 3xx redirects with chunked bodies. CVSS 9.8 Critical.