Avoid access violation after parser_parse_chunky_headers call.

In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
by membuffer_delete call. Therefore if we save the pointer to
parser->msg.entity.buf before calling membuffer_delete, it will
induce access to released memory.
(cherry picked from commit d72bb5cff51bfc261de7725536cef53fd1f0b356)

ChangeLog

@@ -332,6 +332,15 @@ Version 1.8.0
 Version 1.6.18
 *******************************************************************************
 
+2012-04-11 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
+
+	Avoid access violation after parser_parse_chunky_headers call.
+
+	In parser_parse_chunky_headers, parser->msg.msg.buf can be changed
+	by membuffer_delete call. Therefore if we save the pointer to
+	parser->msg.entity.buf before calling membuffer_delete, it will
+	induce access to released memory.
+
 2012-04-06 Yoichi NAKAYAMA <yoichi.nakayama(at)gmail.com>
 
 	Remove possibility of access violation.

upnp/src/genlib/net/http/httpparser.c

@@ -1684,14 +1684,14 @@ parser_parse_chunky_headers( INOUT http_parser_t * parser )
         /* finally, done with the whole msg */
         parser->position = POS_COMPLETE;
 
-        /* save entity start ptr as the very last thing to do */
-        parser->msg.entity.buf = parser->msg.msg.buf +
-            parser->entity_start_position;
-
         membuffer_delete( &parser->msg.msg, save_pos,
                           ( parser->scanner.cursor - save_pos ) );
         parser->scanner.cursor = save_pos;
 
+        /* save entity start ptr as the very last thing to do */
+        parser->msg.entity.buf = parser->msg.msg.buf +
+            parser->entity_start_position;
+
         return PARSE_SUCCESS;
     } else {
         return status;