# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1640712604 -3600
# Node ID 83b35c75c21a8904aea5826f74243986eee140da
# Parent  236fb5192776e0ab19bce117a9c407822a63db55
patch 8.2.3923: Vim9: double free with split argument list in nested function

Commit: https://github.com/vim/vim/commit/4bf1006cae7e87259ccd5219128c3dba75774441
Author: Bram Moolenaar <Bram@vim.org>
Date:   Tue Dec 28 17:23:12 2021 +0000

    patch 8.2.3923: Vim9: double free with split argument list in nested function

    Problem:    Vim9: double free if a nested function has a line break in the
                argument list.
    Solution:   Set cmdlinep when freeing the previous line.

diff --git a/src/testdir/test_vim9_func.vim b/src/testdir/test_vim9_func.vim
--- a/src/testdir/test_vim9_func.vim
+++ b/src/testdir/test_vim9_func.vim
@@ -1669,7 +1669,7 @@ def Test_error_in_nested_function()
   assert_fails('FuncWithForwardCall()', 'E1096:', '', 1, 'FuncWithForwardCall')
 enddef
 
-def Test_nested_functin_with_nextcmd()
+def Test_nested_function_with_nextcmd()
   var lines =<< trim END
       vim9script
       # Define an outer function
@@ -1689,6 +1689,24 @@ def Test_nested_functin_with_nextcmd()
   CheckScriptFailure(lines, 'E476: Invalid command: AAAAA')
 enddef
 
+def Test_nested_function_with_args_split()
+  var lines =<< trim END
+      vim9script
+      def FirstFunction()
+        def SecondFunction(
+        )
+        # had a double free if the right parenthesis of the nested function is
+        # on the next line
+         
+        enddef|BBBB
+      enddef
+      # Compile all functions
+      defcompile
+  END
+  # FIXME: this should fail on the BBBB
+  CheckScriptSuccess(lines)
+enddef
+
 def Test_return_type_wrong()
   CheckScriptFailure([
         'def Func(): number',
diff --git a/src/userfunc.c b/src/userfunc.c
--- a/src/userfunc.c
+++ b/src/userfunc.c
@@ -219,6 +219,8 @@ get_function_args(
 	    if (theline == NULL)
 		break;
 	    vim_free(*line_to_free);
+	    if (*eap->cmdlinep == *line_to_free)
+		*eap->cmdlinep = theline;
 	    *line_to_free = theline;
 	    whitep = (char_u *)" ";
 	    p = skipwhite(theline);
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -750,6 +750,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    3923,
+/**/
     3922,
 /**/
     3921,