From 6342e2c5a6570231aefabd8e34c2f2cb22f6927a Mon Sep 17 00:00:00 2001
From: Bram Moolenaar <Bram@vim.org>
Date: Mon, 12 Dec 2022 18:56:32 +0000
Subject: patch 9.0.1050: using freed memory when assigning to variable twice

Problem:    Using freed memory when assigning to variable twice.
Solution:   Make copy of the list type. (closes #11691)
---
 src/testdir/test_vim9_script.vim | 30 ++++++++++++++++++++++++++++++
 src/version.c                    |  2 ++
 src/vim9type.c                   |  3 ++-
 3 files changed, 34 insertions(+), 1 deletion(-)

diff --git a/src/testdir/test_vim9_script.vim b/src/testdir/test_vim9_script.vim
index b6e1a89d2..c489ae55d 100644
--- a/src/testdir/test_vim9_script.vim
+++ b/src/testdir/test_vim9_script.vim
@@ -4519,6 +4519,36 @@ def Test_echo_uninit_variables()
   endif
 enddef
 
+def Test_free_type_before_use()
+  # this rather complicated script was freeing a type before using it
+  var lines =<< trim END
+      vim9script
+
+      def Scan(rel: list<dict<any>>): func(func(dict<any>))
+        return (Emit: func(dict<any>)) => {
+          for t in rel
+            Emit(t)
+          endfor
+        }
+      enddef
+
+      def Build(Cont: func(func(dict<any>))): list<dict<any>>
+        var rel: list<dict<any>> = []
+        Cont((t) => {
+            add(rel, t)
+        })
+        return rel
+      enddef
+
+      var R = [{A: 0}]
+      var result = Scan(R)->Build()
+      result = Scan(R)->Build()
+
+      assert_equal(R, result)
+  END
+  v9.CheckScriptSuccess(lines)
+enddef
+
 " Keep this last, it messes up highlighting.
 def Test_substitute_cmd()
   new
diff --git a/src/version.c b/src/version.c
index 48d9250cb..f72d53796 100644
--- a/src/version.c
+++ b/src/version.c
@@ -695,6 +695,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    1050,
 /**/
     1049,
 /**/
diff --git a/src/vim9type.c b/src/vim9type.c
index f36fa5eea..5d37ac5dc 100644
--- a/src/vim9type.c
+++ b/src/vim9type.c
@@ -403,7 +403,8 @@ typval2type_int(typval_T *tv, int copyID, garray_T *type_gap, int flags)
 	if (l->lv_type != NULL && (l->lv_first == NULL
 					   || (flags & TVTT_MORE_SPECIFIC) == 0
 					   || l->lv_type->tt_member != &t_any))
-	    return l->lv_type;
+	    // make a copy, lv_type may be freed if the list is freed
+	    return copy_type(l->lv_type, type_gap);
 	if (l->lv_first == &range_list_item)
 	    return &t_list_number;
 	if (l->lv_copyID == copyID)
-- 
cgit v1.2.1