patch 8.1.0738: using freed memory, for loop over blob leaks memoryv8.1.0738

Problem:    Using freed memory, for loop over blob leaks memory.
Solution:   Clear pointer after freeing memory.  Decrement reference count
            after for loop over blob.

2 files changed, 13 insertions, 7 deletions

diff --git a/src/eval.c b/src/eval.c
index 993a5bc73..a5e358fe1 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -2615,6 +2615,8 @@ eval_for_line(
 		    clear_tv(&tv);
 		else
 		{
+		    // No need to increment the refcount, it's already set for
+		    // the blob being used in "tv".
 		    fi->fi_blob = b;
 		    fi->fi_bi = 0;
 		}
@@ -2684,6 +2686,8 @@ free_for_info(void *fi_void)
 	list_rem_watch(fi->fi_list, &fi->fi_lw);
 	list_unref(fi->fi_list);
     }
+    if (fi != NULL && fi->fi_blob != NULL)
+	blob_unref(fi->fi_blob);
     vim_free(fi);
 }
 
@@ -4217,8 +4221,12 @@ eval7(
 		    {
 			if (!vim_isxdigit(bp[1]))
 			{
-			    EMSG(_("E973: Blob literal should have an even number of hex characters"));
-			    vim_free(blob);
+			    if (blob != NULL)
+			    {
+				EMSG(_("E973: Blob literal should have an even number of hex characters"));
+				ga_clear(&blob->bv_ga);
+				VIM_CLEAR(blob);
+			    }
 			    ret = FAIL;
 			    break;
 			}
@@ -4227,11 +4235,7 @@ eval7(
 					 (hex2nr(*bp) << 4) + hex2nr(*(bp+1)));
 		    }
 		    if (blob != NULL)
-		    {
-			++blob->bv_refcount;
-			rettv->v_type = VAR_BLOB;
-			rettv->vval.v_blob = blob;
-		    }
+			rettv_blob_set(rettv, blob);
 		    *arg = bp;
 		}
 		else
diff --git a/src/version.c b/src/version.c
index 9f4bbfce7..5d1d06f56 100644
--- a/src/version.c
+++ b/src/version.c
@@ -796,6 +796,8 @@ static char *(features[]) =
 static int included_patches[] =
 {   /* Add new patch number below this line */
 /**/
+    738,
+/**/
     737,
 /**/
     736,