help_unknown_ref(): duplicate collected refnames
When "git merge" sees an unknown refname, we iterate through the refs to try to suggest some possible alternates. We do so with for_each_ref(), and in the callback we add some of the refnames we get to a string_list that is declared with NODUP, directly adding a pointer into the refname string our callback received. But the for_each_ref() machinery does not promise that the refname string will remain valid, and as a result we may print garbage memory. The code in question dates back to its inception in e56181060e (help: add help_unknown_ref(), 2013-05-04). But back then, the refname strings generally did remain stable, at least immediately after the for_each_ref() call. Later, in d1cf15516f (packed_ref_iterator_begin(): iterate using `mmapped_ref_iterator`, 2017-09-25), we started consistently re-using a separate buffer for packed refs. The fix is simple: duplicate the strings we intend to collect. We already call string_list_clear(), so the memory is correctly freed. Signed-off-by: Jeff King <> Signed-off-by: Junio C Hamano <>
diff --git a/t/ b/t/
index 1061482..592850c 100755
--- a/t/
+++ b/t/
@@ -822,4 +822,18 @@ test_expect_success EXECKEEPSPID 'killed merge can be completed with --continue'
verify_parents $c0 $c1
+test_expect_success 'merge suggests matching remote refname' '
+ git commit --allow-empty -m not-local &&
+ git update-ref refs/remotes/origin/not-local HEAD &&
+ git reset --hard HEAD^ &&
+ # This is white-box testing hackery; we happen to know
+ # that reading packed refs is more picky about the memory
+ # ownership of strings we pass to for_each_ref() callbacks.
+ git pack-refs --all --prune &&
+ test_must_fail git merge not-local 2>stderr &&
+ grep origin/not-local stderr