[REG 6.5.1 -> 6.5.2] Crash/failed assert by passing certain xml file to QXmlStreamReader

1. Build the attached project with a developer build of Qt or with a Qt build with ASAN:

   qt-cmake -S /tmp/report/ && cmake --build . --parallel
   

2. Run the resulting program and pass the attached xml file:

   ./report 59630.xml
   

   The developer build crashes with a failed assert:

   ASSERT: "len >= 0" in file /home/qtrob/dev/clang-15.0.7/qt-dev_06.23-base_imageformats_svg-devbld-qt-tiff/qtbase/include/QtCore/../../../../../src/qt-dev_06.23-base_imageformats_svg/qtbase/src/corelib/text/qstringview.h, line 136
   

   ASAN prints an error message and backtraces:

   =================================================================
   ==80140==ERROR: AddressSanitizer: negative-size-param: (size=-2)
       #0 0x557f8fd7c2f4 in __asan_memcpy (/tmp/build-report/report+0x3de2f4) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #1 0x557f9017a2bc in replaceArgEscapes(QStringView, ArgEscapeData const&, long long, QStringView, QStringView, QChar) qstring.cpp
       #2 0x557f9017795f in QString::arg(QStringView, int, QChar) const (/tmp/build-report/report+0x7d995f) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #3 0x557f90295c79 in QXmlStreamReaderPrivate::startDocument() (/tmp/build-report/report+0x8f7c79) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #4 0x557f90282f1f in QXmlStreamReaderPrivate::parse() (/tmp/build-report/report+0x8e4f1f) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #5 0x557f902adb48 in QXmlStreamReader::readNext() (/tmp/build-report/report+0x90fb48) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #6 0x557f8fdc77f4 in main (/tmp/build-report/report+0x4297f4) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #7 0x7f8ce0a3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
       #8 0x7f8ce0a39909 in __libc_start_main (/usr/lib/libc.so.6+0x23909) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
       #9 0x557f8fcc7514 in _start (/tmp/build-report/report+0x329514) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
   
   0x62d000000c52 is located 2130 bytes inside of 32770-byte region [0x62d000000400,0x62d000008402)
   allocated by thread T0 here:
       #0 0x557f8fd7d21a in __interceptor_realloc.part.0 asan_malloc_linux.cpp.o
       #1 0x557f90210b60 in QArrayData::reallocateUnaligned(QArrayData*, void*, long long, long long, QArrayData::AllocationOption) (/tmp/build-report/report+0x872b60) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #2 0x557f90193257 in QArrayDataPointer<char16_t>::reallocateAndGrow(QArrayData::GrowthPosition, long long, QArrayDataPointer<char16_t>*) (/tmp/build-report/report+0x7f5257) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #3 0x557f90133073 in QString::append(QChar) (/tmp/build-report/report+0x795073) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #4 0x557f902a5ae1 in QXmlStreamReaderPrivate::fastScanName(short*) (/tmp/build-report/report+0x907ae1) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #5 0x557f90281493 in QXmlStreamReaderPrivate::parse() (/tmp/build-report/report+0x8e3493) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #6 0x557f902adb48 in QXmlStreamReader::readNext() (/tmp/build-report/report+0x90fb48) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #7 0x557f8fdc77f4 in main (/tmp/build-report/report+0x4297f4) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516)
       #8 0x7f8ce0a3984f  (/usr/lib/libc.so.6+0x2384f) (BuildId: 2f005a79cd1a8e385972f5a102f16adba414d75e)
   
   SUMMARY: AddressSanitizer: negative-size-param (/tmp/build-report/report+0x3de2f4) (BuildId: eae932069f439b36fbc5c7224fe29259b02e6516) in __asan_memcpy
   ==80140==ABORTING
   

I could not reproduce this with Qt 6.5.1. Google's oss-fuzz found this as issue 59630. They will publish their report on September 4th, the latest.