CVE-2017-13089: wget skip_short_body stack overflow via negative HTTP chunk size (signed strtol + SIZE_MAX read)

GNU wget ≤ 1.19.1 has a stack-based buffer overflow in skip_short_body() (src/http.c). When wget follows a redirect or receives a 401 Unauthorized response from a malicious server using Transfer-Encoding: chunked (no Content-Length), the function is called with contlen=-1 and chunked=true. Two bugs combine: (1) the SKIP_THRESHOLD guard (-1 > 4096) is a signed comparison that passes for contlen=-1; (2) the HTTP chunk size is parsed with strtol() (signed). A server can send a negative chunk size like "-1\r\n". strtol("-1", ..., 16) returns -1 as wgint (signed long). Then contlen = MIN(-1, SKIP_SIZE) = -1 with signed comparison, and fd_read(fd, dlbuf, MIN(-1, 512), -1) passes -1 as int bufsize. sock_read calls read(fd, dlbuf, (size_t)-1) which on 64-bit systems means SIZE_MAX bytes. The server's data floods the 513-byte dlbuf stack buffer, overflowing the stack frame. CVE-2017-13089.