Fix NULL pointer dereference in archive_acl_from_text_w()

When parsing a short "default" ACL prefix (e.g. L"d") with no
subsequent tag field, field[n] is left as {NULL, NULL} and the
code dereferences it unconditionally in the switch statement,
causing a SEGV.

Add a zero-length check after computing the field length so that
malformed entries are skipped with ARCHIVE_WARN, matching the
documented contract. Also move the st pointer computation after
the guard to avoid dereferencing a NULL start pointer.

Fixes libarchive/libarchive#2744

diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
index 362e3308f43f237ff9b03ec258e9f37ecf136b9b..ab601833def6fafdf3daab5b701e29e4722ece55 100644 (file)
--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
@@ -1256,8 +1256,12 @@ archive_acl_from_text_w(struct archive_acl *acl, const wchar_t *text,
 
                        tag = 0;
                        s = field[n].start;
-                       st = field[n].start + 1;
                        len = field[n].end - field[n].start;
+                       if (len == 0) {
+                               ret = ARCHIVE_WARN;
+                               continue;
+                       }
+                       st = s + 1;
 
                        switch (*s) {
                        case L'u':