It's possible for resolve_ref_unsafe() to return NULL with a REF_ISSYMREF flag if a symref points to a broken ref. In this case, the read_remote_branches() function will segfault passing the name to xstrdup(). This is hard to trigger in practice, since this function is used as a callback to for_each_ref(), which will skip broken refs in the first place (so it would have to be broken racily, or for us to see a transient filesystem error). If we see such a racy broken outcome let's treat it as "not a symref". This is exactly the same thing that would happen in the non-racy case (our function would not be called at all, as for_each_ref would skip the broken symref). Signed-off-by: Jeff King <peff@xxxxxxxx> --- builtin/remote.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/builtin/remote.c b/builtin/remote.c index 4f5cac96b0..bc89623695 100644 --- a/builtin/remote.c +++ b/builtin/remote.c @@ -565,7 +565,7 @@ static int read_remote_branches(const char *refname, item = string_list_append(rename->remote_branches, xstrdup(refname)); symref = resolve_ref_unsafe(refname, RESOLVE_REF_READING, NULL, &flag); - if (flag & REF_ISSYMREF) + if (symref && (flag & REF_ISSYMREF)) item->util = xstrdup(symref); else item->util = NULL; -- 2.15.0.rc1.560.g5f0609e481
