[libxml2] Check return value of nodePush in xmlSAX2StartElement

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 8c9daf790abfc06e8ca3a44652542c577bb67d49
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Wed Sep 12 13:42:27 2018 +0200

    Check return value of nodePush in xmlSAX2StartElement
    
    If the maximum depth is exceeded, nodePush halts the parser which
    results in freeing the input buffer since the previous commit. This
    invalidates the attribute pointers, so the error condition must be
    checked.
    
    Found by OSS-Fuzz.

 SAX2.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
---
diff --git a/SAX2.c b/SAX2.c
index 0f261b7b..49ce566c 100644
--- a/SAX2.c
+++ b/SAX2.c
@@ -1665,7 +1665,10 @@ xmlSAX2StartElement(void *ctx, const xmlChar *fullname, const xmlChar **atts)
 #ifdef DEBUG_SAX_TREE
     xmlGenericError(xmlGenericErrorContext, "pushing(%s)\n", name);
 #endif
-    nodePush(ctxt, ret);
+    if (nodePush(ctxt, ret) < 0) {
+        xmlFreeNode(ret);
+        return;
+    }
 
     /*
      * Link the child element
@@ -2336,7 +2339,10 @@ xmlSAX2StartElementNs(void *ctx,
     /*
      * We are parsing a new node.
      */
-    nodePush(ctxt, ret);
+    if (nodePush(ctxt, ret) < 0) {
+        xmlFreeNode(ret);
+        return;
+    }
 
     /*
      * Link the child element