client: fix invalid data access through invalid content-length values

client: fix invalid data access through invalid content-length values

An invalid data access can be triggered with an HTTP POST request to a CGI
script specifying both `Transfer-Encoding: chunked` and a large negative
`Content-Length`.

The negative content length is assigned to `r->content_length` in
`client_parse_header` and passed as a negative read length to
`ustream_consume` in `client_poll_post_data` which will set the internal
ustream buffer pointer to an invalid address, causing out of bounds memory
reads later on in the code flow.

A similar implicit unsigned to signed conversion happens when parsing
chunk sizes emitted by a CGI program.

Address these issues by rejecting negative values in `r->content_length`
after assigning the `strtoul()` result.

Reported-by: Jan-Niklas Sohn <[email protected]>
Signed-off-by: Jo-Philipp Wich <[email protected]>