add a missing bounds-check in got-fetch-pack when parsing server response The tokenize_refline() function could end up reading past the end of the buffer if the refline is not terminated with whitespace or \0.