parser: Fix invalid free in xmlParseBalancedChunkMemoryRecover

Set the dictionary for newDoc in xmlParseBalancedChunkMemoryRecover.
This is a long-standing bug which was masked by

- xmlParseBalancedChunkMemoryRecover changing the document of the root
  node. This is a really bad idea, resulting in a mismatch between
  ctxt->myDoc and ctxt->node->doc.
- SAX2.c preferring ctxt->node->doc over ctxt->myDoc until commit
  a31e1b06.

Fixes #641.

SAX2.c

@@ -1897,8 +1897,17 @@ xmlSAX2AttributeNs(xmlParserCtxtPtr ctxt,
     memset(ret, 0, sizeof(xmlAttr));
     ret->type = XML_ATTRIBUTE_NODE;
 
+    /*
+     * xmlParseBalancedChunkMemoryRecover had a bug that could result in
+     * a mismatch between ctxt->node->doc and ctxt->myDoc. We use
+     * ctxt->node->doc here, but we should somehow make sure that the
+     * document pointers match.
+     */
+
+    /* assert(ctxt->node->doc == ctxt->myDoc); */
+
     ret->parent = ctxt->node;
-    ret->doc = ctxt->myDoc;
+    ret->doc = ctxt->node->doc;
     ret->ns = namespace;
 
     if (ctxt->dictNames)

parser.c

@@ -13416,6 +13416,8 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
 	ctxt->str_xmlns = xmlDictLookup(ctxt->dict, BAD_CAST "xmlns", 5);
 	ctxt->str_xml_ns = xmlDictLookup(ctxt->dict, XML_XML_NAMESPACE, 36);
 	ctxt->dictNames = 1;
+        newDoc->dict = ctxt->dict;
+        xmlDictReference(newDoc->dict);
     } else {
 	xmlCtxtUseOptionsInternal(ctxt, XML_PARSE_NODICT, NULL);
     }
@@ -13441,7 +13443,6 @@ xmlParseBalancedChunkMemoryRecover(xmlDocPtr doc, xmlSAXHandlerPtr sax,
 	ctxt->myDoc = newDoc;
     } else {
 	ctxt->myDoc = newDoc;
-	newDoc->children->doc = doc;
 	/* Ensure that doc has XML spec namespace */
 	xmlSearchNsByHref(doc, (xmlNodePtr)doc, XML_XML_NAMESPACE);
 	newDoc->oldNs = doc->oldNs;