libzip: backport security fixes for CVE-2012-1162, CVE-2012-1163, CVE-2015-2331

Backport fixes for multiple security vulnerabilities to bundled
libzip 0.6.1. A full library upgrade is not feasible due to breaking
API changes in libzip 0.11+.

Fixes:
- CVE-2012-1162: heap buffer overflow in _zip_readcdir when nentry
  is 0 but central directory data is present. Initialize directory
  entries before reading to prevent use of uninitialized memory.
- CVE-2012-1163: integer overflow in central directory size
  calculation. Validate cd->size + cd->comment_len + EOCDLEN does
  not wrap. Add overflow guards before size*nentry allocations.
- CVE-2015-2331: integer overflow in _zip_cdir_new when computing
  allocation size for large nentry values on 32-bit systems.
- Fix memory leaks on error paths in _zip_dirent_read where partial
  allocations (filename, extrafield, comment) were not freed on
  subsequent allocation failures (related to CVE-2017-12858).
- Replace deprecated stricmp with portable strcasecmp in
  zip_name_locate.

Note: CVE-2011-0421 was already patched in the bundled copy.
CVE-2017-14107 does not apply (no ZIP64 support in 0.6.1).
CVE-2017-12858 and CVE-2019-17582 manifest differently in 0.6.1
(memory leak, not double-free/use-after-free) and are addressed
by the error-path cleanup above.

Reference: open-watcom#1369

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: ddanila

contrib/libzip/lib/zdirent.c

@@ -39,6 +39,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <stddef.h>
 #include <sys/types.h>
 
 #include "wio.h"
@@ -77,12 +78,20 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 {
     struct zip_cdir *cd;
 
+    if (nentry < 0 || (nentry > 0 && (size_t)nentry > SIZE_MAX / sizeof(*(cd->entry)))) {
+        _zip_error_set(error, ZIP_ER_MEMORY, 0);
+        return NULL;
+    }
+
     if ((cd=ZIP_ALLOC(sizeof(*cd))) == NULL) {
         _zip_error_set(error, ZIP_ER_MEMORY, 0);
         return NULL;
     }
 
-    if ((cd->entry=ZIP_ALLOC(sizeof(*(cd->entry))*nentry)) == NULL) {
+    if (nentry == 0) {
+        cd->entry = NULL;
+    }
+    else if ((cd->entry=ZIP_ALLOC(sizeof(*(cd->entry))*nentry)) == NULL) {
         _zip_error_set(error, ZIP_ER_MEMORY, 0);
         ZIP_FREE(cd);
         return NULL;
@@ -282,14 +291,18 @@ _zip_dirent_read(struct zip_dirent *zde, FILE *fp,
         if (zde->extrafield_len) {
             zde->extrafield = _zip_readstr(&cur, zde->extrafield_len, 0,
                                            error);
-            if (!zde->extrafield)
+            if (!zde->extrafield) {
+                _zip_dirent_finalize(zde);
                 return -1;
+            }
         }
 
         if (zde->comment_len) {
             zde->comment = _zip_readstr(&cur, zde->comment_len, 0, error);
-            if (!zde->comment)
+            if (!zde->comment) {
+                _zip_dirent_finalize(zde);
                 return -1;
+            }
         }
     }
     else {
@@ -302,14 +315,18 @@ _zip_dirent_read(struct zip_dirent *zde, FILE *fp,
         if (zde->extrafield_len) {
             zde->extrafield = _zip_readfpstr(fp, zde->extrafield_len, 0,
                                              error);
-            if (!zde->extrafield)
+            if (!zde->extrafield) {
+                _zip_dirent_finalize(zde);
                 return -1;
+            }
         }
 
         if (zde->comment_len) {
             zde->comment = _zip_readfpstr(fp, zde->comment_len, 0, error);
-            if (!zde->comment)
+            if (!zde->comment) {
+                _zip_dirent_finalize(zde);
                 return -1;
+            }
         }
     }
 

contrib/libzip/lib/znameloc.c

@@ -65,7 +65,7 @@ _zip_name_locate(struct zip *za, const char *fname, int flags,
 	return -1;
     }
 
-    cmp = (flags & ZIP_FL_NOCASE) ? stricmp : strcmp;
+    cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;
 
     n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
     for (i=0; i<n; i++) {

contrib/libzip/lib/zopen.c

@@ -39,6 +39,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
+#include <stddef.h>
 #include <sys/types.h>
 
 #include "wio.h"
@@ -193,7 +194,16 @@ zip_open(const char *fn, int flags, int *zep)
         return NULL;
     }
 
-    if ((za->entry=ZIP_ALLOC(sizeof(*(za->entry))*cdir->nentry)) == NULL) {
+    if (cdir->nentry > 0
+        && (size_t)cdir->nentry > SIZE_MAX / sizeof(*(za->entry))) {
+        set_error(zep, NULL, ZIP_ER_MEMORY);
+        _zip_free(za);
+        return NULL;
+    }
+    if (cdir->nentry == 0) {
+        za->entry = NULL;
+    }
+    else if ((za->entry=ZIP_ALLOC(sizeof(*(za->entry))*cdir->nentry)) == NULL) {
         set_error(zep, NULL, ZIP_ER_MEMORY);
         _zip_free(za);
         return NULL;
@@ -269,6 +279,13 @@ _zip_readcdir(FILE *fp, unsigned char *buf, unsigned char *eocd, int buflen,
     cd->comment = NULL;
     cd->comment_len = _zip_read2(&cdp);
 
+    if (cd->size + cd->comment_len + EOCDLEN < cd->size) {
+        /* integer overflow in size calculation */
+        _zip_error_set(error, ZIP_ER_NOZIP, 0);
+        _zip_cdir_free(cd);
+        return NULL;
+    }
+
     /* some zip files are broken; their internal comment length
        says 0, but they have 1 or 2 comment bytes */
     if ((comlen-cd->comment_len < 0) || (comlen-cd->comment_len > 2)
@@ -309,6 +326,9 @@ _zip_readcdir(FILE *fp, unsigned char *buf, unsigned char *eocd, int buflen,
         }
     }
 
+    for (i=0; i<cd->nentry; i++)
+        _zip_dirent_init(cd->entry+i);
+
     for (i=0; i<cd->nentry; i++) {
         if ((_zip_dirent_read(cd->entry+i, fp, bufp, eocd-cdp, 0,
                               error)) < 0) {