Inject random malloc failures when fuzzing
There are numerous memory safety issues in the code paths handling malloc failures. These issues aren't critical, because an attacker typically can't control when memory allocations fail. Nevertheless, these bugs should be fixed.
Such issues are often detected by static analysis. A more systematic way is to "randomly" inject memory allocation failures when fuzzing. This is easy to implement using libxml2's memory management hooks, but some initial experiments suggest that a huge number of issues will turn up. I guess at least 50-100, maybe even more.
For reference, you can find coverage reports from OSS-Fuzz here: https://oss-fuzz.com/coverage-report/job/libfuzzer_asan_libxml2/latest. Many of the uncovered code paths are related to malloc failure handling. This is code that never got tested, so it's no surprise to see a huge number of bugs.
A related issue is that libxml2 often doesn't return an error code if a memory allocation fails. This could also be detected when fuzzing.