RootCauseunvalidated
xmlParseCDSect function uses an int-typed size variable that doubles repeatedly (size *= 2) without overflow checks — xmlParseCDSect function at line 9763. Outcome: size limit check happens AFTER vulnerable realloc.
552c09c4-5896-4015-9e88-3141e0fb23e3
xmlParseCDSect function uses an int-typed size variable that doubles repeatedly (size *= 2) without overflow checks — xmlParseCDSect function at line 9763. Outcome: size limit check happens AFTER vulnerable realloc.