From bce69d65dd41020ea1d727337a3baf9e95b40c35 Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Sun, 22 May 2022 13:45:52 +0100
Subject: [PATCH] patch 8.2.4998: Vim9: crash when using multiple funcref()

Problem:    Vim9: crash when using multiple funcref().
Solution:   Check if varargs type is NULL. (closes #10467)
---
 src/testdir/test_vim9_func.vim | 41 ++++++++++++++++++++++++++++++++++
 src/version.c                  |  2 ++
 src/vim9type.c                 |  6 ++++-
 3 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
index 30ff1ef23..fcf37d5f5 100644
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -4107,6 +4107,47 @@ func Test_lambda_allocation_failure()
   bw!
 endfunc
 
+def Test_multiple_funcref()
+  # This was using a NULL pointer
+  var lines =<< trim END
+      vim9script
+      def A(F: func, ...args: list<any>): func
+          return funcref(F, args)
+      enddef
+
+      def B(F: func): func
+          return funcref(A, [F])
+      enddef
+
+      def Test(n: number)
+      enddef
+
+      const X = B(Test)
+      X(1)
+  END
+  v9.CheckScriptSuccess(lines)
+
+  # slightly different case
+  lines =<< trim END
+      vim9script
+
+      def A(F: func, ...args: list<any>): any
+          return call(F, args)
+      enddef
+
+      def B(F: func): func
+          return funcref(A, [F])
+      enddef
+
+      def Test(n: number)
+      enddef
+
+      const X = B(Test)
+      X(1)
+  END
+  v9.CheckScriptSuccess(lines)
+enddef
+
 " The following messes up syntax highlight, keep near the end.
 if has('python3')
   def Test_python3_command()
diff --git a/src/version.c b/src/version.c
index 5ae7693c5..b18d0a511 100644
--- a/src/version.c
+++ b/src/version.c
@@ -734,6 +734,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    4998,
 /**/
     4997,
 /**/
diff --git a/src/vim9type.c b/src/vim9type.c
index 180876223..436feda51 100644
--- a/src/vim9type.c
+++ b/src/vim9type.c
@@ -807,7 +807,11 @@ check_argument_types(
 	else
 	    tv = &argvars[i];
 	if (varargs && i >= type->tt_argcount - 1)
-	    expected = type->tt_args[type->tt_argcount - 1]->tt_member;
+	{
+	    expected = type->tt_args[type->tt_argcount - 1];
+	    if (expected != NULL)
+		expected = expected->tt_member;
+	}
 	else
 	    expected = type->tt_args[i];
 	if (check_typval_arg_type(expected, tv, NULL, i + 1) == FAIL)
-- 
2.50.0