Handle overflow in http_SendMessage.

ChangeLog

@@ -11,6 +11,7 @@ Version 1.6.16
 	* Handle SearchByTarget error in UpnpSearchAsync.
 	* Pass output buffer size to addrToString and detect overflow.
 	* Handle addrToString error in configure_urlbase. 
+	* Handle overflow in http_SendMessage.
 	* Treat large argument as error in UpnpAddVirtualDir.
 	* Do not clear buffer before snprintf.
 	* Clarify the last argument of GetDescDocumentAndURL has size LINE_SIZE.

upnp/src/genlib/net/http/httpreadwrite.c

@@ -446,15 +446,19 @@ int http_SendMessage(SOCKINFO *info, int *TimeOut, const char *fmt, ...)
 				}
 				/* Create chunk for the current buffer. */
 				if (Instr && Instr->IsChunkActive) {
+					int rc;
 					/* Copy CRLF at the end of the chunk */
 					memcpy(file_buf + num_read, "\r\n", 2);
 					/* Hex length for the chunk size. */
 					memset(Chunk_Header, 0,
 						sizeof(Chunk_Header));
-					snprintf(Chunk_Header,
+					rc = snprintf(Chunk_Header,
 						sizeof(Chunk_Header) - strlen ("\r\n"),
 						"%" PRIzx, num_read);
-					/*itoa(num_read,Chunk_Header,16);  */
+					if (rc < 0 || (unsigned int) rc >= sizeof(Chunk_Header) - strlen ("\r\n")) {
+						RetVal = UPNP_E_INTERNAL_ERROR;
+						goto Cleanup_File;
+					}
 					strncat(Chunk_Header, "\r\n", strlen ("\r\n"));
 					/* Copy the chunk size header  */
 					memcpy(file_buf - strlen(Chunk_Header),