bisect: handle NULL commit in bisect_successful()

bisect_successful() calls lookup_commit_reference_by_name() to
find the first bad commit, then immediately passes the result to
repo_format_commit_message() and dereferences commit->object.oid
without checking for NULL.

lookup_commit_reference_by_name() can return NULL when the ref
does not resolve to a valid commit object (e.g., the bisect ref
points to a corrupted or missing object). In that case,
repo_format_commit_message(NULL, ...) and commit->object.oid are
undefined behavior.

In practice this is unlikely because bisect_successful() is only
called after a successful bisect run has identified the bad
commit, but the ref could still become dangling due to a
concurrent gc or repository corruption.

Add a NULL check and return an error if the commit cannot be
looked up.

Pointed out by Coverity.

Assisted-by: Claude Opus 4.6
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: dscho

builtin/bisect.c

@@ -660,6 +660,11 @@ static int bisect_successful(struct bisect_terms *terms)
 
 	refs_read_ref(get_main_ref_store(the_repository), bad_ref, &oid);
 	commit = lookup_commit_reference_by_name(bad_ref);
+	if (!commit) {
+		res = error(_("could not find commit for '%s'"), bad_ref);
+		free(bad_ref);
+		return res;
+	}
 	repo_format_commit_message(the_repository, commit, "%s", &commit_name,
 				   &pp);