[libxml2] Fix integer overflow when counting written bytes

[Nick Wellnhofer <nwellnhof src gnome org>]

commit 40e00bc5174ab61036c893078123467144b05a4a
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Oct 14 16:56:59 2019 +0200

    Fix integer overflow when counting written bytes
    
    Check for integer overflow when updating the `written` member of
    struct xmlOutputBuffer in xmlIO.c.
    
    Closes #112. Resolves !54 and !55.

 xmlIO.c | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)
---
diff --git a/xmlIO.c b/xmlIO.c
index 2a1e2cb0..752d5e0a 100644
--- a/xmlIO.c
+++ b/xmlIO.c
@@ -3413,7 +3413,10 @@ xmlOutputBufferWrite(xmlOutputBufferPtr out, int len, const char *buf) {
                out->error = XML_IO_WRITE;
                return(ret);
            }
-           out->written += ret;
+            if (out->written > INT_MAX - ret)
+                out->written = INT_MAX;
+            else
+                out->written += ret;
        }
        written += nbchars;
     } while (len > 0);
@@ -3609,7 +3612,10 @@ xmlOutputBufferWriteEscape(xmlOutputBufferPtr out, const xmlChar *str,
                out->error = XML_IO_WRITE;
                return(ret);
            }
-           out->written += ret;
+            if (out->written > INT_MAX - ret)
+                out->written = INT_MAX;
+            else
+                out->written += ret;
        } else if (xmlBufAvail(out->buffer) < MINLEN) {
            xmlBufGrow(out->buffer, MINLEN);
        }
@@ -3703,7 +3709,10 @@ xmlOutputBufferFlush(xmlOutputBufferPtr out) {
        out->error = XML_IO_FLUSH;
        return(ret);
     }
-    out->written += ret;
+    if (out->written > INT_MAX - ret)
+        out->written = INT_MAX;
+    else
+        out->written += ret;
 
 #ifdef DEBUG_INPUT
     xmlGenericError(xmlGenericErrorContext,