patch 8.2.3427: double free when list is copied
Problem: Double free when list is copied.
Solution: Allocate the type when making a copy. (closes #8862)
Clear the type for flattennew(). Avoid a memory leak when
flattennew() fails.
diff --git a/src/list.c b/src/list.c
index 336bf3b..8e67a61 100644
--- a/src/list.c
+++ b/src/list.c
@@ -952,7 +952,10 @@
vimlist_remove(list, item, item);
if (list_extend(list, item->li_tv.vval.v_list, next) == FAIL)
+ {
+ list_free_item(list, item);
return;
+ }
clear_tv(&item->li_tv);
tofree = item;
@@ -1023,6 +1026,9 @@
rettv->vval.v_list = l;
if (l == NULL)
return;
+ // The type will change.
+ free_type(l->lv_type);
+ l->lv_type = NULL;
}
else
{
@@ -1217,7 +1223,7 @@
copy = list_alloc();
if (copy != NULL)
{
- copy->lv_type = orig->lv_type;
+ copy->lv_type = alloc_type(orig->lv_type);
if (copyID != 0)
{
// Do this before adding the items, because one of the items may