bgo#744688 - Fix double g_free() when processing stroke-dasharray

The part of rsvg_parse_style_pair() that validates the dash pattern, by seeing
if any actual dash length was generated, could leave a dangling pointer after
a g_free() if the dash pattern turned out to be invalid.  Later, rsvg_state_inherit_run()
would try to g_free() this dangling pointer as well.

Found by Atte Kettunen's fuzz testing.

Signed-off-by: Federico Mena Quintero <federico@gnome.org>