From 8db2a38bb29bc9584479929da49dc774435c9fea Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
Date: Thu, 13 Nov 2025 22:41:23 +0100
Subject: [PATCH] xml: Use safe_emalloc() correctly

Fortunately, libxml won't allow _at this point in time_ to have more
than INT_MAX/5 attributes, so this doesn't cause issues right now.
However, if this limit is ever raised then it can cause an integer
overflow which will cause a heap overflow.
So future-proof this code by properly using safe_emalloc().
---
 ext/xml/compat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/xml/compat.c b/ext/xml/compat.c
index 25add45f0340a..df241e5b684fc 100644
--- a/ext/xml/compat.c
+++ b/ext/xml/compat.c
@@ -111,7 +111,7 @@ _start_element_handler_ns(void *user, const xmlChar *name, const xmlChar *prefix
 
 	if (attributes != NULL) {
 		xmlChar    *qualified_name_attr = NULL;
-		attrs = safe_emalloc((nb_attributes  * 2) + 1, sizeof(int *), 0);
+		attrs = safe_emalloc(nb_attributes, 2 * sizeof(int *), sizeof(int *));
 
 		for (i = 0; i < nb_attributes; i += 1) {