From: zhangjy1014 <60053759+zhangjy1014@users.noreply.github.com>
Date: Sun, 8 Feb 2026 09:18:43 +0000 (+0800)
Subject: Fix NULL pointer dereference in archive_acl_from_text_w()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7a6549a6bf4bc4d14c1ae3de8aeba53a11d1faa7;p=thirdparty%2Flibarchive.git

Fix NULL pointer dereference in archive_acl_from_text_w()

When parsing a short "default" ACL prefix (e.g. L"d") with no
subsequent tag field, field[n] is left as {NULL, NULL} and the
code dereferences it unconditionally in the switch statement,
causing a SEGV.

Add a zero-length check after computing the field length so that
malformed entries are skipped with ARCHIVE_WARN, matching the
documented contract. Also move the st pointer computation after
the guard to avoid dereferencing a NULL start pointer.

Fixes libarchive/libarchive#2744
---

diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
index 362e3308f..ab601833d 100644
--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
@@ -1256,8 +1256,12 @@ archive_acl_from_text_w(struct archive_acl *acl, const wchar_t *text,
 
 			tag = 0;
 			s = field[n].start;
-			st = field[n].start + 1;
 			len = field[n].end - field[n].start;
+			if (len == 0) {
+				ret = ARCHIVE_WARN;
+				continue;
+			}
+			st = s + 1;
 
 			switch (*s) {
 			case L'u':