utf8.c: Fix reference count in swash_to_invlist()

The return SV* from this function was inconsistent in its reference
count.  In some cases it creates a new SV, which has a reference count
of 1, and in some cases it returned an existing SV without incrementing
the reference count.  If the caller thought it was getting its own copy,
and decremented the reference count, it could lead to a double free.

diff --git a/utf8.c b/utf8.c
index e1597bc..a3b6038 100644 (file)
--- a/utf8.c
+++ b/utf8.c
@@ -3976,7 +3976,8 @@ SV*
 Perl__swash_to_invlist(pTHX_ SV* const swash)
 {
 
-   /* Subject to change or removal.  For use only in one place in regcomp.c */
+   /* Subject to change or removal.  For use only in one place in regcomp.c.
+    * Ownership is given to one reference count in the returned SV* */
 
     U8 *l, *lend;
     char *loc;
@@ -4002,7 +4003,7 @@ Perl__swash_to_invlist(pTHX_ SV* const swash)
 
     /* If not a hash, it must be the swash's inversion list instead */
     if (SvTYPE(hv) != SVt_PVHV) {
-        return (SV*) hv;
+        return SvREFCNT_inc_simple_NN((SV*) hv);
     }
 
     /* The string containing the main body of the table */