MapServer: heap-buffer-overflow in SLD Categorize parser (msSLDParseRasterSymbolizer)

MapServer is a CGI binary that parses OGC SLD (Styled Layer Descriptor) XML to style raster/vector layers it serves over WMS/WFS. msSLDParseRasterSymbolizer in src/mapogcsld.cpp (around line 2894) allocates a fixed-size buffer for 100 threshold pointers for a <se:Categorize> element. The reallocation guard checks the wrong variable — nValues == nMaxThreshold instead of nThresholds == nMaxThreshold. Because nValues increments at a different rate than nThresholds, reallocation never fires when the SLD contains more than 100 <se:Threshold> children, and the subsequent pointer writes spill past the 100-slot array.

The bug is reachable unauthenticated on any MapServer instance that accepts an SLD body in its WMS request (SLD_BODY parameter is the standard OGC angle; SLD URL-by-reference also reaches the same parser). Practical impact is at minimum a worker-process crash (CVSS A:H per NIST); depending on heap state, the spilled pointers may be controllable enough for a stronger consequence — that's outside the scope this ticket asks for, but it does NOT cap at "ASAN goes brr". The reproduction MUST hit the real mapserv CGI entry, not a unit-test harness.