malloc-fail: Fix reallocation in xmlXIncludeNewRef

Avoid null deref.

Found with libFuzzer, see #344.

xinclude.c

@@ -272,14 +272,18 @@ xmlXIncludeNewRef(xmlXIncludeCtxtPtr ctxt, const xmlChar *URI,
 	}
     }
     if (ctxt->incNr >= ctxt->incMax) {
-	ctxt->incMax *= 2;
+        xmlXIncludeRefPtr *tmp;
-        ctxt->incTab = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab,
+        size_t newSize = ctxt->incMax * 2;
-	             ctxt->incMax * sizeof(ctxt->incTab[0]));
+
-        if (ctxt->incTab == NULL) {
+        tmp = (xmlXIncludeRefPtr *) xmlRealloc(ctxt->incTab,
+	             newSize * sizeof(ctxt->incTab[0]));
+        if (tmp == NULL) {
 	    xmlXIncludeErrMemory(ctxt, elem, "growing XInclude context");
 	    xmlXIncludeFreeRef(ret);
 	    return(NULL);
 	}
+        ctxt->incTab = tmp;
+        ctxt->incMax *= 2;
     }
     ctxt->incTab[ctxt->incNr++] = ret;
     return(ret);