Fix NULL pointer dereference in archive_acl_from_text_nl

### Summary
This PR fixes a NULL pointer dereference in `archive_acl_from_text_nl()` (located in `archive_acl.c`) that occurs when parsing malformed PAX tar archives containing a short "default" ACL prefix.

### Technical Details
This is a variant of the bug previously fixed in the wide-character version `archive_acl_from_text_w()` via commit 7a6549a6 (Issue #2744).

The vulnerability exists because `st = field[n].start + 1` is calculated before verifying if the field length is zero. In cases of malformed entries, `field[n].start` can be NULL, leading to Undefined Behavior/SIGILL. This patch applies the same logic from the wide-char fix: moving the pointer increment after the length guard.

### Validation
- **Environment:** Ubuntu 24.04, compiled with AddressSanitizer (ASan) and UndefinedBehaviorSanitizer (UBSan).
- **Reproduction:** Verified that the minimized PAX tar archive provided in issue #2904 no longer triggers the crash.
- **Regression:** All existing library tests pass.

Closes #2904

diff --git a/libarchive/archive_acl.c b/libarchive/archive_acl.c
index ab601833def6fafdf3daab5b701e29e4722ece55..14a107a47ccd5e2a6e6b0d9f213b3de7bb436f5f 100644 (file)
--- a/libarchive/archive_acl.c
+++ b/libarchive/archive_acl.c
@@ -1755,7 +1755,6 @@ archive_acl_from_text_nl(struct archive_acl *acl, const char *text,
 
                        tag = 0;
                        s = field[n].start;
-                       st = field[n].start + 1;
                        len = field[n].end - field[n].start;
 
                        if (len == 0) {
@@ -1763,6 +1762,8 @@ archive_acl_from_text_nl(struct archive_acl *acl, const char *text,
                                continue;
                        }
 
+                       st = s + 1; 
+
                        switch (*s) {
                        case 'u':
                                if (len == 1 || (len == 4