patch 8.2.4587: Vim9: double free after unpacking a listv8.2.4587

Problem:    Vim9: double free after unpacking a list.
Solution:   Make a copy of the value instead of moving it. (closes #9968)

3 files changed, 13 insertions, 1 deletions

diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index 94aa1e9d2..c94f29870 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -2253,6 +2253,13 @@ def Test_for_loop_unpack()
         res->add(n)
       endfor
       assert_equal([2, 5], res)
+
+      var text: list<string> = ["hello there", "goodbye now"]
+      var splitted = ''
+      for [first; next] in mapnew(text, (i, v) => split(v))
+          splitted ..= string(first) .. string(next) .. '/'
+      endfor
+      assert_equal("'hello'['there']/'goodbye'['now']/", splitted)
   END
   v9.CheckDefAndScriptSuccess(lines)
 
diff --git a/src/version.c b/src/version.c
index b90c57123..5cb21e832 100644
--- a/src/version.c
+++ b/src/version.c
@@ -751,6 +751,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    4587,
+/**/
     4586,
 /**/
     4585,
diff --git a/src/vim9execute.c b/src/vim9execute.c
index 4d24eb96e..3136dced7 100644
--- a/src/vim9execute.c
+++ b/src/vim9execute.c
@@ -4773,7 +4773,10 @@ exec_instructions(ectx_T *ectx)
 			    li = li->li_next;
 			for (i = 0; li != NULL; ++i)
 			{
-			    list_set_item(rem_list, i, &li->li_tv);
+			    typval_T tvcopy;
+
+			    copy_tv(&li->li_tv, &tvcopy);
+			    list_set_item(rem_list, i, &tvcopy);
 			    li = li->li_next;
 			}
 			--count;