Check for integer overflow in xmlXPathFormatNumber

Check for overflow before casting double to int.

Found with afl-fuzz and UBSan.

result/XPath/expr/floats

@@ -242,3 +242,11 @@ Object is a number : -1
 ========================
 Expression: 8 mod 3 = 2
 Object is a Boolean : true
+
+========================
+Expression: 12345678901234567890
+Object is a number : 1.23457e+19
+
+========================
+Expression: -12345678901234567890
+Object is a number : -1.23457e+19

result/XPath/expr/strings

@@ -19,6 +19,14 @@ Object is a string : true
 Expression: string(false())
 Object is a string : false
 
+========================
+Expression: string(12345678901234567890)
+Object is a string : 1.23456789012346e+19
+
+========================
+Expression: string(-12345678901234567890)
+Object is a string : -1.23456789012346e+19
+
 ========================
 Expression: concat("titi","toto")
 Object is a string : tititoto

test/XPath/expr/floats

@@ -59,3 +59,5 @@ number('f') div 1
 -5 mod 2
 -5 mod -2
 8 mod 3 = 2
+12345678901234567890
+-12345678901234567890

test/XPath/expr/strings

@@ -3,6 +3,8 @@ string(0.5)
 string(-0.5)
 string(true())
 string(false())
+string(12345678901234567890)
+string(-12345678901234567890)
 concat("titi","toto")
 concat("titi","toto","tata")
 concat("titi",'toto')

xpath.c

@@ -3106,7 +3106,8 @@ xmlXPathFormatNumber(double number, char buffer[], int buffersize)
 		snprintf(buffer, buffersize, "NaN");
 	} else if (number == 0 && xmlXPathGetSign(number) != 0) {
 	    snprintf(buffer, buffersize, "0");
-	} else if (number == ((int) number)) {
+	} else if ((number > INT_MIN) && (number < INT_MAX) &&
+                   (number == (int) number)) {
 	    char work[30];
 	    char *ptr, *cur;
 	    int value = (int) number;