commit 61efa16932d485fc724e4b94a8e7078a176c9946
author Bram Moolenaar <Bram@vim.org> Fri Mar 18 13:10:48 2022 +0000
committer Bram Moolenaar <Bram@vim.org> Fri Mar 18 13:10:48 2022 +0000
tree eb5308b89e7ad18b04e5efa9f69d18159925caa5
parent 1d9cef769d6c91d9a58a9c3c1c8ffe3da3570871

patch 8.2.4587: Vim9: double free after unpacking a list

Problem:    Vim9: double free after unpacking a list.
Solution:   Make a copy of the value instead of moving it. (closes #9968)

src/testdir/test_vim9_script.vim

diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index 94aa1e9..c94f298 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -2253,6 +2253,13 @@
         res->add(n)
       endfor
       assert_equal([2, 5], res)
+
+      var text: list<string> = ["hello there", "goodbye now"]
+      var splitted = ''
+      for [first; next] in mapnew(text, (i, v) => split(v))
+          splitted ..= string(first) .. string(next) .. '/'
+      endfor
+      assert_equal("'hello'['there']/'goodbye'['now']/", splitted)
   END
   v9.CheckDefAndScriptSuccess(lines)
 

src/version.c

diff --git a/src/version.c b/src/version.c
index b90c571..5cb21e8 100644
--- a/src/version.c
+++ b/src/version.c
@@ -751,6 +751,8 @@
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    4587,
+/**/
     4586,
 /**/
     4585,

src/vim9execute.c

diff --git a/src/vim9execute.c b/src/vim9execute.c
index 4d24eb9..3136dce 100644
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -4773,7 +4773,10 @@
 			    li = li->li_next;
 			for (i = 0; li != NULL; ++i)
 			{
-			    list_set_item(rem_list, i, &li->li_tv);
+			    typval_T tvcopy;
+
+			    copy_tv(&li->li_tv, &tvcopy);
+			    list_set_item(rem_list, i, &tvcopy);
 			    li = li->li_next;
 			}
 			--count;