Issue #10989: Fix a crash on SSLContext.load_verify_locations(None, True).

Patch reviewed by Antoine Pitrou, okayed by Georg Brandl.
diff --git a/Lib/test/test_ssl.py b/Lib/test/test_ssl.py
index 0e47595..4ea1a63 100644
--- a/Lib/test/test_ssl.py
+++ b/Lib/test/test_ssl.py
@@ -394,6 +394,9 @@
         ctx.load_verify_locations(CERTFILE, CAPATH)
         ctx.load_verify_locations(CERTFILE, capath=BYTES_CAPATH)
 
+        # Issue #10989: crash if the second argument type is invalid
+        self.assertRaises(TypeError, ctx.load_verify_locations, None, True)
+
     @skip_if_broken_ubuntu_ssl
     def test_session_stats(self):
         for proto in PROTOCOLS:
diff --git a/Misc/NEWS b/Misc/NEWS
index b05b93c..51f5ac1 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -16,6 +16,8 @@
 Library
 -------
 
+- Issue #10989: Fix a crash on SSLContext.load_verify_locations(None, True).
+
 - Issue #11020: Command-line pyclbr was broken because of missing 2-to-3
   conversion.
 
diff --git a/Modules/_ssl.c b/Modules/_ssl.c
index 1e4b38a..141b1ae 100644
--- a/Modules/_ssl.c
+++ b/Modules/_ssl.c
@@ -1683,7 +1683,7 @@
         return NULL;
     }
     if (capath && !PyUnicode_FSConverter(capath, &capath_bytes)) {
-        Py_DECREF(cafile_bytes);
+        Py_XDECREF(cafile_bytes);
         PyErr_SetString(PyExc_TypeError,
                         "capath should be a valid filesystem path");
         return NULL;