File wget-check-chunk-length-for-overflowing-off_t.patch of Package busybox

From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Sun Apr 8 18:06:24 2018 +0200
Subject: wget: check chunk length for overflowing off_t
Patch-mainline: 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e
Git-repo: https://git.busybox.net/busybox
Git-commit: b1a212f737c970450d37f14982a67e8637dd79bc
References: 

function                                             old     new   delta
retrieve_file_data                                   428     465     +37
wget_main                                           2386    2389      +3
------------------------------------------------------------------------------
(add/remove: 0/0 grow/shrink: 2/0 up/down: 40/0)               Total: 40 bytes

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Egbert Eich <eich@suse.de>
---
 networking/wget.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/networking/wget.c b/networking/wget.c
index b5cf2c21f..1eb1a8294 100644
--- a/networking/wget.c
+++ b/networking/wget.c
@@ -908,11 +908,19 @@ static void NOINLINE retrieve_file_data(FILE *dfp)
 		if (!G.chunked)
 			break;
 
-		fgets_trim_sanitize(dfp, NULL); /* Eat empty line */
+		/* Each chunk ends with "\r\n" - eat it */
+		fgets_trim_sanitize(dfp, NULL);
  get_clen:
+		/* chunk size format is "HEXNUM[;name[=val]]\r\n" */
 		fgets_trim_sanitize(dfp, NULL);
+		errno = 0;
 		G.content_len = STRTOOFF(G.wget_buf, NULL, 16);
-		/* FIXME: error check? */
+		/*
+		 * Had a bug with inputs like "ffffffff0001f400"
+		 * smashing the heap later. Ensure >= 0.
+		 */
+		if (G.content_len < 0 || errno)
+			bb_error_msg_and_die("bad chunk length '%s'", G.wget_buf);
 		if (G.content_len == 0)
 			break; /* all done! */
 		G.got_clen = 1;