xmllint: Fix use-after-free with --maxmem

Fixes #498.

include/libxml/xmlmemory.h

@@ -139,6 +139,8 @@ XMLPUBFUN void
 /*
  * These are specific to the XML debug memory wrapper.
  */
+XMLPUBFUN size_t
+	xmlMemSize	(void *ptr);
 XMLPUBFUN int
 	xmlMemUsed	(void);
 XMLPUBFUN int

xmllint.c

@@ -352,17 +352,14 @@ myMallocFunc(size_t size)
 static void *
 myReallocFunc(void *mem, size_t size)
 {
-    void *ret;
+    size_t oldsize = xmlMemSize(mem);
 
-    ret = xmlMemRealloc(mem, size);
+    if (xmlMemUsed() + size - oldsize > (size_t) maxmem) {
-    if (ret != NULL) {
-        if (xmlMemUsed() > maxmem) {
         OOM();
-            xmlMemFree(ret);
         return (NULL);
     }
-    }
+
-    return (ret);
+    return (xmlMemRealloc(mem, size));
 }
 static char *
 myStrdupFunc(const char *str)

xmlmemory.c

@@ -558,6 +558,27 @@ xmlMemoryStrdup(const char *str) {
     return(xmlMemStrdupLoc(str, "none", 0));
 }
 
+/**
+ * xmlMemSize:
+ * @ptr:  pointer to the memory allocation
+ *
+ * Returns the size of a memory allocation.
+ */
+
+size_t
+xmlMemSize(void *ptr) {
+    MEMHDR *p;
+
+    if (ptr == NULL)
+	return(0);
+
+    p = CLIENT_2_HDR(ptr);
+    if (p->mh_tag != MEMTAG)
+        return(0);
+
+    return(p->mh_size);
+}
+
 /**
  * xmlMemUsed:
  *