CVE-2022-40303: libxml2 integer overflow with XML_PARSE_HUGE in xmlParseEntityValue and friends

CVE-2022-40303 in libxml2 v2.9.14: integer overflow during XML content parsing. parser.c functions — xmlParseEntityValue (primary, no length cap at all), xmlParseAttValueComplex, xmlParseSystemLiteral, xmlParsePubidLiteral, xmlParseNameComplex, xmlParseNCNameComplex, xmlParseStringName, xmlParseNmtoken, xmlParseCommentComplex, xmlParseComment, xmlParsePI — track buffer length with signed int len and int size and grow via size *= 2. With XML_PARSE_HUGE enabled, NO upper-bound check exists. When attacker input pushes size past INT_MAX/2, size *= 2 wraps to negative; the negative is promoted to size_t in xmlRealloc(buf, size*sizeof(xmlChar)) becoming a huge value (alloc fail) or wrapping to a small one, leaving the loop to keep COPY_BUF-ing past the buffer — heap OOB write. The signed compare len + 5 >= size is also unsafe once len wraps.