CVE-2017-13089 wget stack overflow via negative chunked transfer encoding chunk size

CVE-2017-13089 in GNU wget v1.19.1: Stack-based buffer overflow in HTTP chunked transfer encoding handling. skip_short_body() in src/http.c (lines 945-1020) declares a 513-byte stack buffer char dlbuf[SKIP_SIZE+1] (SKIP_SIZE=512) and reads chunked HTTP response bodies into it. The chunk size is parsed at line 973: remaining_chunk_size = strtol(line, &endl, 16); into a signed wgint. A malicious HTTP server can return a chunk-size line with a negative hex value (e.g. '-1') or a value that overflows signed long. The MIN(remaining_chunk_size, SKIP_SIZE) at line 984 and MIN(contlen, SKIP_SIZE) at line 989 use signed comparison, so the negative value passes through unchanged. fd_read(fd, dlbuf, , -1) ultimately converts that to size_t for read(), producing a huge unsigned count that writes far past dlbuf — classic signed-to-unsigned conversion stack smash. Reachable on redirect / 100-continue / proxy short-body skip paths (callers at http.c:3524, 3718, 3930). Same signed-strtol pattern also lives in src/retr.c::fd_read_body lines 306-340.