CVE-2021-3518: Use-after-free in libxml2 xmlXIncludeAddNode (xinclude.c)

CVE-2021-3518 is a use-after-free in libxml2's XInclude processing. In xmlXIncludeAddNode() in xinclude.c (v2.9.11), the URI string pointer is freed at line 617 via xmlFree(URI), then immediately used in an error handler at line 620 when xmlSaveUri() returns NULL. The freed pointer is passed as a %s format argument to xmlXIncludeErr(). This is reachable from xmlXIncludeDoProcess → xmlXIncludePreProcessNode → xmlXIncludeAddNode. The bug is triggered when: (1) an XInclude href forms a parseable URI (xmlParseURI succeeds), (2) xmlSaveUri subsequently fails to rebuild the URI (e.g., malloc failure), causing the error path to read the freed URI string.