Fix buffer overflow with chunked HTTP handling (CVE-2019-16239)

Fix buffer overflow with chunked HTTP handling (CVE-2019-16239)

Over a decade ago, I was vocally sad about the fact that I needed to
implement HTTP client code for myself because none of the available
options at the time gave me sufficient control over the underlying
TLS connection.

This is why. A malicious HTTP server (after we have accepted its
identity certificate) can provide bogus chunk lengths for chunked
HTTP encoding and cause a heap overflow.

Reported by Lukas Kupczyk of the Advanced Research Team at CrowdStrike
Intelligence.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>