Backport CVE patches.

CVE-2011-0421 (nih-at/libzip@88efa42)
CVE-2015-2331 (php/php-src@ef8fc4b)

Fix MSVC build

strcasecmp has a Watcom-native implementation and is portable sans Windows. This replaces a prior stricmp call, which is deprecated in the Watcom C library.

Author: mal359

contrib/libzip/lib/zdirent.c

@@ -81,8 +81,9 @@ _zip_cdir_new(int nentry, struct zip_error *error)
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	return NULL;
     }
-
-    if ((cd->entry=malloc(sizeof(*(cd->entry))*nentry)) == NULL) {
+	
+    if ( nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_dirent *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) 
+	== NULL) {
 	_zip_error_set(error, ZIP_ER_MEMORY, 0);
 	free(cd);
 	return NULL;

contrib/libzip/lib/znameloc.c

@@ -36,6 +36,11 @@
 
 
 #include <string.h>
+#ifdef _MSC_VER
+#define strcasecmp _stricmp
+#else
+#include <strings.h>
+#endif
 
 #include "wio.h"
 
@@ -64,8 +69,13 @@ _zip_name_locate(struct zip *za, const char *fname, int flags,
 	_zip_error_set(error, ZIP_ER_INVAL, 0);
 	return -1;
     }
+	
+    if ((flags & ZIP_FL_UNCHANGED)  && za->cdir == NULL) {
+	_zip_error_set(error, ZIP_ER_NOENT, 0);
+	return -1;
+    }
 
-    cmp = (flags & ZIP_FL_NOCASE) ? stricmp : strcmp;
+    cmp = (flags & ZIP_FL_NOCASE) ? strcasecmp : strcmp;
 
     n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
     for (i=0; i<n; i++) {