From 1fa1147c2c277eb9a22c643f21b08da9bc15510e Mon Sep 17 00:00:00 2001
From: Karl Williamson <public@khwilliamson.com>
Date: Fri, 26 Jul 2013 14:26:27 -0600
Subject: [PATCH] regcomp.c: Fix potential scalar leak

The lines in this code were reversed.  We need to check something before
overwriting it, rather than the other way around.  The result would be
that under certain circumstances a SV would not get freed.  Those
circumstances are very limited: the first of the three parameters to
this function is not empty, but the 2nd is, and the output (3rd
parameter) is to overwrite the 2nd.  I found this bug by code reading; I
have searched the code space and there are no current calls to it that
have this parameter configuration, therefore there is no test that can
be added to trigger it.
---
 regcomp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/regcomp.c b/regcomp.c
index 08b9a90..98fa6b9 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -7844,11 +7844,11 @@ Perl__invlist_intersection_maybe_complement_2nd(pTHX_ SV* const a, SV* const b,
              * must be every possible code point.  Thus the intersection is
              * simply 'a'. */
             if (*i != a) {
-                *i = invlist_clone(a);
-
                 if (*i == b) {
                     SvREFCNT_dec_NN(b);
                 }
+
+                *i = invlist_clone(a);
             }
             /* else *i is already 'a' */
             return;
-- 
1.8.3.1