# HG changeset patch
# User Bram Moolenaar <Bram@vim.org>
# Date 1631385004 -7200
# Node ID 8dfcee931c6ce40626a7217db0eea5f063740ddb
# Parent  aee42bda9b8a8e908489f8dc0002c9fd3e788be0
patch 8.2.3427: double free when list is copied

Commit: https://github.com/vim/vim/commit/b3bf33a7b227df871834e816c4ce4b2706b56bea
Author: Bram Moolenaar <Bram@vim.org>
Date:   Sat Sep 11 20:20:38 2021 +0200

    patch 8.2.3427: double free when list is copied

    Problem:    Double free when list is copied.
    Solution:   Allocate the type when making a copy. (closes https://github.com/vim/vim/issues/8862)
                Clear the type for flattennew().  Avoid a memory leak when
                flattennew() fails.

diff --git a/src/list.c b/src/list.c
--- a/src/list.c
+++ b/src/list.c
@@ -952,7 +952,10 @@ list_flatten(list_T *list, long maxdepth
 
 	    vimlist_remove(list, item, item);
 	    if (list_extend(list, item->li_tv.vval.v_list, next) == FAIL)
+	    {
+		list_free_item(list, item);
 		return;
+	    }
 	    clear_tv(&item->li_tv);
 	    tofree = item;
 
@@ -1023,6 +1026,9 @@ flatten_common(typval_T *argvars, typval
 	rettv->vval.v_list = l;
 	if (l == NULL)
 	    return;
+	// The type will change.
+	free_type(l->lv_type);
+	l->lv_type = NULL;
     }
     else
     {
@@ -1217,7 +1223,7 @@ list_copy(list_T *orig, int deep, int co
     copy = list_alloc();
     if (copy != NULL)
     {
-	copy->lv_type = orig->lv_type;
+	copy->lv_type = alloc_type(orig->lv_type);
 	if (copyID != 0)
 	{
 	    // Do this before adding the items, because one of the items may
diff --git a/src/testdir/test_vim9_builtin.vim b/src/testdir/test_vim9_builtin.vim
--- a/src/testdir/test_vim9_builtin.vim
+++ b/src/testdir/test_vim9_builtin.vim
@@ -1090,6 +1090,13 @@ def Test_findfile()
   CheckDefAndScriptFailure2(['findfile("a", "b", "c")'], 'E1013: Argument 3: type mismatch, expected number but got string', 'E1210: Number required for argument 3')
 enddef
 
+def Test_flatten()
+  var lines =<< trim END
+      echo flatten([1, 2, 3])
+  END
+  CheckDefAndScriptFailure(lines, 'E1158:')
+enddef
+
 def Test_flattennew()
   var lines =<< trim END
       var l = [1, [2, [3, 4]], 5]
@@ -1098,13 +1105,12 @@ def Test_flattennew()
 
       call assert_equal([1, 2, [3, 4], 5], flattennew(l, 1))
       call assert_equal([1, [2, [3, 4]], 5], l)
+
+      var ll: list<list<string>> = [['a', 'b', 'c']]
+      assert_equal(['a', 'b', 'c'], ll->flattennew())
   END
   CheckDefAndScriptSuccess(lines)
 
-  lines =<< trim END
-      echo flatten([1, 2, 3])
-  END
-  CheckDefAndScriptFailure(lines, 'E1158:')
   CheckDefAndScriptFailure2(['flattennew({})'], 'E1013: Argument 1: type mismatch, expected list<any> but got dict<unknown>', 'E1211: List required for argument 1')
   CheckDefAndScriptFailure2(['flattennew([], "1")'], 'E1013: Argument 2: type mismatch, expected number but got string', 'E1210: Number required for argument 2')
 enddef
diff --git a/src/version.c b/src/version.c
--- a/src/version.c
+++ b/src/version.c
@@ -756,6 +756,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    3427,
+/**/
     3426,
 /**/
     3425,