patch 8.1.0738: using freed memory, for loop over blob leaks memory

Problem:    Using freed memory, for loop over blob leaks memory.
Solution:   Clear pointer after freeing memory.  Decrement reference count
            after for loop over blob.

src/eval.c

@@ -2615,6 +2615,8 @@ eval_for_line(
 		    clear_tv(&tv);
 		else
 		{
+		    // No need to increment the refcount, it's already set for
+		    // the blob being used in "tv".
 		    fi->fi_blob = b;
 		    fi->fi_bi = 0;
 		}
@@ -2684,6 +2686,8 @@ free_for_info(void *fi_void)
 	list_rem_watch(fi->fi_list, &fi->fi_lw);
 	list_unref(fi->fi_list);
     }
+    if (fi != NULL && fi->fi_blob != NULL)
+	blob_unref(fi->fi_blob);
     vim_free(fi);
 }
 
@@ -4217,8 +4221,12 @@ eval7(
 		    {
 			if (!vim_isxdigit(bp[1]))
 			{
-			    EMSG(_("E973: Blob literal should have an even number of hex characters"));
+			    if (blob != NULL)
-			    vim_free(blob);
+			    {
+				EMSG(_("E973: Blob literal should have an even number of hex characters"));
+				ga_clear(&blob->bv_ga);
+				VIM_CLEAR(blob);
+			    }
 			    ret = FAIL;
 			    break;
 			}
@@ -4227,11 +4235,7 @@ eval7(
 					 (hex2nr(*bp) << 4) + hex2nr(*(bp+1)));
 		    }
 		    if (blob != NULL)
-		    {
+			rettv_blob_set(rettv, blob);
-			++blob->bv_refcount;
-			rettv->v_type = VAR_BLOB;
-			rettv->vval.v_blob = blob;
-		    }
 		    *arg = bp;
 		}
 		else

src/version.c

@@ -795,6 +795,8 @@ static char *(features[]) =
 
 static int included_patches[] =
 {   /* Add new patch number below this line */
+/**/
+    738,
 /**/
     737,
 /**/