vim-patch:8.1.0738: using freed memory, for loop over blob leaks memory

Problem:    Using freed memory, for loop over blob leaks memory.
Solution:   Clear pointer after freeing memory.  Decrement reference count
            after for loop over blob.
https://github.com/vim/vim/commit/ecc8bc482ba601b9301a6c129c92a0d1f8527f72

1 files changed, 11 insertions, 3 deletions

diff --git a/src/nvim/eval.c b/src/nvim/eval.c
index 29df1a168f..eb8f0406c4 100644
--- a/src/nvim/eval.c
+++ b/src/nvim/eval.c
@@ -2603,6 +2603,8 @@ void *eval_for_line(const char_u *arg, bool *errp, char_u **nextcmdp, int skip)
         if (b == NULL) {
           tv_clear(&tv);
         } else {
+          // No need to increment the refcount, it's already set for
+          // the blob being used in "tv".
           fi->fi_blob = b;
           fi->fi_bi = 0;
         }
@@ -2666,6 +2668,9 @@ void free_for_info(void *fi_void)
     tv_list_watch_remove(fi->fi_list, &fi->fi_lw);
     tv_list_unref(fi->fi_list);
   }
+  if (fi != NULL && fi->fi_blob != NULL) {
+    tv_blob_unref(fi->fi_blob);
+  }
   xfree(fi);
 }
 
@@ -4072,9 +4077,12 @@ static int eval7(
       char_u *bp;
       for (bp = *arg + 2; ascii_isxdigit(bp[0]); bp += 2) {
         if (!ascii_isxdigit(bp[1])) {
-          EMSG(_("E973: Blob literal should have an even number of hex "
-                 "characters"));
-          xfree(blob);
+          if (blob != NULL) {
+            EMSG(_("E973: Blob literal should have an even number of hex "
+                   "characters"));
+            ga_clear(&blob->bv_ga);
+            XFREE_CLEAR(blob);
+          }
           ret = FAIL;
           break;
         }