From 7a6549a6bf4bc4d14c1ae3de8aeba53a11d1faa7 Mon Sep 17 00:00:00 2001
From: zhangjy1014 <60053759+zhangjy1014@users.noreply.github.com>
Date: Sun, 8 Feb 2026 17:18:43 +0800
Subject: [PATCH] Fix NULL pointer dereference in archive_acl_from_text_w()

When parsing a short "default" ACL prefix (e.g. L"d") with no
subsequent tag field, field[n] is left as {NULL, NULL} and the
code dereferences it unconditionally in the switch statement,
causing a SEGV.

Add a zero-length check after computing the field length so that
malformed entries are skipped with ARCHIVE_WARN, matching the
documented contract. Also move the st pointer computation after
the guard to avoid dereferencing a NULL start pointer.

Fixes libarchive/libarchive#2744
---
 libarchive/archive_acl.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
index 362e3308f..ab601833d 100644
--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
@@ -1256,8 +1256,12 @@ archive_acl_from_text_w(struct archive_acl *acl, const wchar_t *text,
 
 			tag = 0;
 			s = field[n].start;
-			st = field[n].start + 1;
 			len = field[n].end - field[n].start;
+			if (len == 0) {
+				ret = ARCHIVE_WARN;
+				continue;
+			}
+			st = s + 1;
 
 			switch (*s) {
 			case L'u':
-- 
2.47.3