From 61efa16932d485fc724e4b94a8e7078a176c9946 Mon Sep 17 00:00:00 2001 From: Bram Moolenaar Date: Fri, 18 Mar 2022 13:10:48 +0000 Subject: [PATCH] patch 8.2.4587: Vim9: double free after unpacking a list Problem: Vim9: double free after unpacking a list. Solution: Make a copy of the value instead of moving it. (closes #9968) --- src/testdir/test_vim9_script.vim | 7 +++++++ src/version.c | 2 ++ src/vim9execute.c | 5 ++++- 3 files changed, 13 insertions(+), 1 deletion(-) diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim index 94aa1e9d2..c94f29870 100644 --- a/src/testdir/test_vim9_script.vim +++ b/src/testdir/test_vim9_script.vim @@ -2253,6 +2253,13 @@ def Test_for_loop_unpack() res->add(n) endfor assert_equal([2, 5], res) + + var text: list = ["hello there", "goodbye now"] + var splitted = '' + for [first; next] in mapnew(text, (i, v) => split(v)) + splitted ..= string(first) .. string(next) .. '/' + endfor + assert_equal("'hello'['there']/'goodbye'['now']/", splitted) END v9.CheckDefAndScriptSuccess(lines) diff --git a/src/version.c b/src/version.c index b90c57123..5cb21e832 100644 --- a/src/version.c +++ b/src/version.c @@ -750,6 +750,8 @@ static char *(features[]) = static int included_patches[] = { /* Add new patch number below this line */ +/**/ + 4587, /**/ 4586, /**/ diff --git a/src/vim9execute.c b/src/vim9execute.c index 4d24eb96e..3136dced7 100644 --- a/src/vim9execute.c +++ b/src/vim9execute.c @@ -4773,7 +4773,10 @@ exec_instructions(ectx_T *ectx) li = li->li_next; for (i = 0; li != NULL; ++i) { - list_set_item(rem_list, i, &li->li_tv); + typval_T tvcopy; + + copy_tv(&li->li_tv, &tvcopy); + list_set_item(rem_list, i, &tvcopy); li = li->li_next; } --count; -- 2.40.0