Index: lib/libc/posix1e/acl_calc_mask.c
===================================================================
--- lib/libc/posix1e/acl_calc_mask.c
+++ lib/libc/posix1e/acl_calc_mask.c
@@ -104,6 +104,7 @@
 		/* if no mask exists, check acl_cnt... */
 		if (acl_int_new->acl_cnt == ACL_MAX_ENTRIES) {
 			errno = ENOMEM;
+			acl_free(acl_new);
 			return (-1);
 		}
 		/* ...and add the mask entry */
Index: lib/libc/posix1e/acl_strip.c
===================================================================
--- lib/libc/posix1e/acl_strip.c
+++ lib/libc/posix1e/acl_strip.c
@@ -82,8 +82,10 @@
 
 	have_mask_entry = 0;
 	acl_new = acl_init(ACL_MAX_ENTRIES);
-	if (acl_new == NULL)
+	if (acl_new == NULL) {
+		acl_free(acl_old);
 		return (NULL);
+	}
 	tag = ACL_UNDEFINED_TAG;
 
 	/* only save the default user/group/other entries */
@@ -93,17 +95,23 @@
 
 		assert(_entry_brand(entry) == ACL_BRAND_POSIX);
 
-		if (acl_get_tag_type(entry, &tag) == -1)
+		if (acl_get_tag_type(entry, &tag) == -1) {
+			acl_free(acl_old);
 			return (NULL);
+		}
 
 		switch(tag) {
 		case ACL_USER_OBJ:
 		case ACL_GROUP_OBJ:
 		case ACL_OTHER:
-			if (acl_get_tag_type(entry, &tag) == -1)
+			if (acl_get_tag_type(entry, &tag) == -1) {
+				acl_free(acl_old);
 				return (NULL);
-			if (acl_get_permset(entry, &perm) == -1)
+			}
+			if (acl_get_permset(entry, &perm) == -1) {
+				acl_free(acl_old);
 				return (NULL);
+			}
 			if (acl_create_entry(&acl_new, &entry_new) == -1)
 				return (NULL);
 			if (acl_set_tag_type(entry_new, tag) == -1)