Improper use of "int" for tracking sizes
When writing large XML files incrementally, there is at least one integer overflow bug located here as a result of written being defined as a "int". This should likely either a "size_t" or "ssize_t". There may be other instances of this class of bug sprinkled throughout xmlIO.c.
In general, xmlIO.h/.c should likely be using "size_t" and "ssize_t" or equivalents whenever handling size type data, unless the API explicitly prevents it (e.g. if input argument is "read int number of bytes", then the return can be at most INT_MAX).
I am willing to submit a patch to convert size oriented variables to either "size_t" or "ssize_t" if such a patch would be accepted.
Edited by litghost