fix integer overflow in chunked http parser

ChangeLog

@@ -1,3 +1,4 @@
+	* fix integer overflow in http parser
 	* improve sanitation of symlinks, to support more complex link targets
 	* add DHT routing table affinity for BEP 42 nodes
 	* add torrent_info constructor overloads to control torrent file limits

src/http_parser.cpp

@@ -378,7 +378,8 @@ restart_response:
 					int header_size;
 					if (parse_chunk_header(buf, &chunk_size, &header_size))
 					{
-						if (chunk_size < 0)
+						if (chunk_size < 0
+							|| chunk_size > std::numeric_limits<std::int64_t>::max() - m_cur_chunk_end - header_size)
 						{
 							m_state = error_state;
 							error = true;

test/test_http_parser.cpp

@@ -529,6 +529,24 @@ TORRENT_TEST(chunked_encoding)
 	TEST_CHECK(body == span<char const>("test12340123456789abcdef", 24));
 }
 
+TORRENT_TEST(chunked_encoding_overflow)
+{
+	char const chunked_input[] =
+		"HTTP/1.1 200 OK\r\n"
+		"Transfer-Encoding: chunked\r\n"
+		"\r\n"
+		"7FFFFFFFFFFFFFBF\r\n";
+
+	http_parser parser;
+	int payload;
+	int protocol;
+	bool error = false;
+	std::tie(payload, protocol) = parser.incoming(chunked_input, error);
+
+	// it should have encountered an error
+	TEST_CHECK(error == true);
+}
+
 TORRENT_TEST(invalid_content_length)
 {
 	char const chunked_input[] =