builtin-fetch--tool: make sure not to overstep ls-remote-result buffer.

Signed-off-by: Junio C Hamano <junkio@cox.net>

diff --git a/builtin-fetch--tool.c b/builtin-fetch--tool.c
index 5301c3cb783a8d2949ba93e776c4a3166da37c81..eeee0a5ebf61af8844471130f666c5ae3bb6b249 100644 (file)
--- a/builtin-fetch--tool.c
+++ b/builtin-fetch--tool.c
@@ -407,6 +407,8 @@ static int expand_refs_wildcard(const char *ls_remote_result, int numrefs,
                        eol = !next ? (ls + strlen(ls)) : next;
                        if (!memcmp("^{}", eol-3, 3))
                                continue;
+                       if (eol - ls < 40)
+                               continue;
                        if (get_sha1_hex(ls, sha1))
                                continue;
                        ls += 40;