Backport CVE-2015-2331 fix to bundled libzip

MFH:		2015Q3
Security:	264749ae-d565-11e4-b545-00269ee29e57

2 files changed, 19 insertions, 1 deletions

diff --git a/emulators/ppsspp/Makefile b/emulators/ppsspp/Makefile
index a6392f933047..061e15cac928 100644
--- a/emulators/ppsspp/Makefile
+++ b/emulators/ppsspp/Makefile
@@ -3,7 +3,7 @@
 PORTNAME=	ppsspp
 DISTVERSIONPREFIX=	v
 DISTVERSION?=	1.0.1
-PORTREVISION?=	4
+PORTREVISION?=	5
 CATEGORIES=	emulators
 
 .ifndef PKGNAMESUFFIX
diff --git a/emulators/ppsspp/files/patch-CVE-2015-2331 b/emulators/ppsspp/files/patch-CVE-2015-2331
new file mode 100644
index 000000000000..599186ff6c6c
--- /dev/null
+++ b/emulators/ppsspp/files/patch-CVE-2015-2331
@@ -0,0 +1,18 @@
+From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 21:59:56 -0700
+Subject: Fix bug #69253 - ZIP Integer Overflow leads to writing past heap boundary
+
+diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c
+index b9dac5c..0090801 100644
+--- native/ext/libzip/zip_dirent.c
++++ native/ext/libzip/zip_dirent.c
+@@ -101,7 +101,7 @@ _zip_cdir_new(int nentry, struct zip_error *error)
+ 	return NULL;
+     }
+ 
+-    if ((cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*nentry))
++    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry))
+ 	== NULL) {
+ 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
+ 	free(cd);