Index: head/lib/libc/posix1e/acl_calc_mask.c
===================================================================
--- head/lib/libc/posix1e/acl_calc_mask.c
+++ head/lib/libc/posix1e/acl_calc_mask.c
@@ -104,6 +104,7 @@
 		/* if no mask exists, check acl_cnt... */
 		if (acl_int_new->acl_cnt == ACL_MAX_ENTRIES) {
 			errno = ENOMEM;
+			acl_free(acl_new);
 			return (-1);
 		}
 		/* ...and add the mask entry */
Index: head/lib/libc/posix1e/acl_strip.c
===================================================================
--- head/lib/libc/posix1e/acl_strip.c
+++ head/lib/libc/posix1e/acl_strip.c
@@ -82,8 +82,10 @@
 
 	have_mask_entry = 0;
 	acl_new = acl_init(ACL_MAX_ENTRIES);
-	if (acl_new == NULL)
+	if (acl_new == NULL) {
+		acl_free(acl_old);
 		return (NULL);
+	}
 	tag = ACL_UNDEFINED_TAG;
 
 	/* only save the default user/group/other entries */
@@ -94,16 +96,16 @@
 		assert(_entry_brand(entry) == ACL_BRAND_POSIX);
 
 		if (acl_get_tag_type(entry, &tag) == -1)
-			return (NULL);
+			goto fail;
 
 		switch(tag) {
 		case ACL_USER_OBJ:
 		case ACL_GROUP_OBJ:
 		case ACL_OTHER:
 			if (acl_get_tag_type(entry, &tag) == -1)
-				return (NULL);
+				goto fail;
 			if (acl_get_permset(entry, &perm) == -1)
-				return (NULL);
+				goto fail;
 			if (acl_create_entry(&acl_new, &entry_new) == -1)
 				return (NULL);
 			if (acl_set_tag_type(entry_new, tag) == -1)
@@ -120,6 +122,10 @@
 		default:
 			break;
 		}
+fail:
+	acl_free(acl_new);
+	acl_free(acl_old);
+	return (NULL);
 	}
 
 	assert(_acl_brand(acl_new) == ACL_BRAND_POSIX);