patch 8.2.3427: double free when list is copiedv8.2.3427

Problem: Double free when list is copied. Solution: Allocate the type when making a copy. (closes #8862) Clear the type for flattennew(). Avoid a memory leak when flattennew() fails.
author: Bram Moolenaar <Bram@vim.org> 2021-09-11 20:20:38 +0200
committer: Bram Moolenaar <Bram@vim.org> 2021-09-11 20:20:38 +0200
commit: b3bf33a7b227df871834e816c4ce4b2706b56bea (patch)
tree: d19c84a9eae05efb04ae17172dce8169b5288dc9 /src/list.c
parent: 4b4b1b84eee70b74fa3bb57624533c65bafd8428 (diff)
download: vim-git-b3bf33a7b227df871834e816c4ce4b2706b56bea.tar.gz
1 files changed, 7 insertions, 1 deletions
diff --git a/src/list.c b/src/list.c
index 336bf3ba7..8e67a61db 100644
--- a/src/list.c
+++ b/src/list.c
@@ -952,7 +952,10 @@ list_flatten(list_T *list, long maxdepth)
 
 	    vimlist_remove(list, item, item);
 	    if (list_extend(list, item->li_tv.vval.v_list, next) == FAIL)
+	    {
+		list_free_item(list, item);
 		return;
+	    }
 	    clear_tv(&item->li_tv);
 	    tofree = item;
 
@@ -1023,6 +1026,9 @@ flatten_common(typval_T *argvars, typval_T *rettv, int make_copy)
 	rettv->vval.v_list = l;
 	if (l == NULL)
 	    return;
+	// The type will change.
+	free_type(l->lv_type);
+	l->lv_type = NULL;
     }
     else
     {
@@ -1217,7 +1223,7 @@ list_copy(list_T *orig, int deep, int copyID)
     copy = list_alloc();
     if (copy != NULL)
     {
-	copy->lv_type = orig->lv_type;
+	copy->lv_type = alloc_type(orig->lv_type);
 	if (copyID != 0)
 	{
 	    // Do this before adding the items, because one of the items may
author	Bram Moolenaar <Bram@vim.org>	2021-09-11 20:20:38 +0200
committer	Bram Moolenaar <Bram@vim.org>	2021-09-11 20:20:38 +0200
commit	b3bf33a7b227df871834e816c4ce4b2706b56bea (patch)
tree	d19c84a9eae05efb04ae17172dce8169b5288dc9 /src/list.c
parent	4b4b1b84eee70b74fa3bb57624533c65bafd8428 (diff)
download	vim-git-b3bf33a7b227df871834e816c4ce4b2706b56bea.tar.gz