CVE-2022-40303: Integer overflow in libxml2 xmlParseCharData → xmlBufAdd with XML_PARSE_HUGE

CVE-2022-40303 in libxml2 v2.9.14: integer overflow during XML content parsing when XML_PARSE_HUGE is enabled. When parsing a text node larger than INT_MAX (~2.1 GB), the int nbchar variable in xmlParseCharData (parser.c:4424) overflows on pointer subtraction in - ctxt->input->cur at lines 4448/4500. The ptrdiff_t result is truncated to int, yielding a corrupted length. This corrupted length propagates through the SAX characters callback to xmlBufAdd (buf.c:872), where needSize = buf->use + len + 1 can produce an incorrectly small result, causing a too-small buffer allocation followed by heap overflow in memmove. A secondary overflow exists in xmlParseEntityValue (parser.c:3768): int size starts at 100 and doubles via size *= 2 without overflow guard, eventually wrapping to negative and passing a negative size to xmlRealloc.