http: use size_t for byte position in fwrite_sha1_file

fwrite_sha1_file() tracks the number of bytes written via an int
variable posn, but the total size to write (eltsize * nmemb) is
size_t. When the HTTP response body exceeds INT_MAX (~2GB), posn
overflows and the expression (char *)ptr + posn accesses memory
before the buffer (heap under-read), then writes that data to the
local object file via xwrite.

The hash check afterward would reject the corrupt object (so no
bad data enters the object store), but the under-read itself
could leak adjacent heap contents to the temporary file. In
practice this is unlikely because curl delivers data in small
chunks (typically 16KB per callback invocation), so eltsize *
nmemb is far below INT_MAX in a single call. However, the
function interface accepts arbitrary sizes, and the accumulation
across the do-while loop means posn grows across calls within a
single invocation, not across callbacks.

Change posn from int to size_t to match the type of size. This
is a hardening fix: the attack surface (a malicious HTTP server
triggering a >2GB single-callback delivery) is theoretical under
normal curl configurations, but the type mismatch is a genuine
defect.

Pointed out by Coverity.

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

http.c

@@ -2718,7 +2718,7 @@ static size_t fwrite_sha1_file(char *ptr, size_t eltsize, size_t nmemb,
 {
 	unsigned char expn[4096];
 	size_t size = eltsize * nmemb;
-	int posn = 0;
+	size_t posn = 0;
 	struct http_object_request *freq = data;
 	struct active_request_slot *slot = freq->slot;