[CVE-2024-40896] Fix XXE protection in downstream code

Some users set an entity's children manually in the getEntity SAX
callback to restrict entity expansion. This stopped working after
renaming the "checked" member of xmlEntity, making at least one
downstream project and its dependants susceptible to XXE attacks.

See #761.

Author: nwellnhof

parser.c

@@ -7382,6 +7382,14 @@ xmlParseReference(xmlParserCtxtPtr ctxt) {
 	return;
     }
 
+    /*
+     * Some users try to parse entities on their own and used to set
+     * the renamed "checked" member. Fix the flags to cover this
+     * case.
+     */
+    if (((ent->flags & XML_ENT_PARSED) == 0) && (ent->children != NULL))
+        ent->flags |= XML_ENT_PARSED;
+
     /*
      * The first reference to the entity trigger a parsing phase
      * where the ent->children is filled with the result from