wcli_match_advert captures first_name as a pointer-pair slice into the advert buf, then holds it across the rest of the drain loop; wcli_read_pkt compacts the same buffer when IDLE runs out (u8bUsed+u8bShift memmove of surviving DATA to buf[0], then FILEDrain overwrites), so first_name's bytes are relocated/clobbered. The legacy first-ref fallback then does a_dup(u8c, fn, first_name) (a pointer copy, not a byte copy) and records the stale/overwritten region as a corrupt ref name. The slice stays within the BASS-carved buf, so this is a stale-memory read (corrupt name), not OOB. The goal is to snapshot the first ref name into stable storage at capture time.
A captured slice aliases a buffer that later compacts under it.
keeper/WIRECLI.c:446 u8csMv(first_name, name) copies pointers aliasing advert buf DATA; never re-derived, only used at :498.keeper/WIRECLI.c:61-69 wcli_read_pkt u8bUsed+u8bShift(buf,0) memmoves surviving DATA to buf[0]; FILEDrain (:72) overwrites → first_name bytes relocated/clobbered.WCLI_BUF=64KiB (:46) but vanilla git advertises ~100KiB, so compaction fires mid-drain.keeper/WIRECLI.c:498 a_dup(u8c,fn,first_name) is a pointer-pair copy; the corrupt bytes feed wcli_wire_to_be when want_branch empty + no HEAD match + no surviving refs/heads/main.None.
Snapshot the name at first sight.
WCLI_BUF (forcing compaction) with empty want_branch and no refs/heads/main; assert the recorded first-ref name matches the real first ref, not garbage.a_pad/u8bFeed copy, like WCLI_RECORD_NAME→name_out) when first seen; use that copy in the fallback.WCLI_RECORD_NAME path during the main loop so no buffer-pointing slice is held across compacting reads.