From 3585d2269ba2d9777e3afccef026d1e159f47f5d Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Fri, 15 Dec 2017 11:40:57 +0100 Subject: Fix access after free in evaluation cache If a let expression is compressed away to just its value, let the value keep a reference to the variable declaration. Task-number: QTBUG-63613 Change-Id: I544ca682627c0fc0fe13984602aefbaaf3df4533 Reviewed-by: Thiago Macieira --- src/xmlpatterns/expr/qevaluationcache_p.h | 2 +- src/xmlpatterns/expr/qevaluationcache_tpl_p.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/xmlpatterns/expr/qevaluationcache_p.h b/src/xmlpatterns/expr/qevaluationcache_p.h index 6c2efc7..d3ac422 100644 --- a/src/xmlpatterns/expr/qevaluationcache_p.h +++ b/src/xmlpatterns/expr/qevaluationcache_p.h @@ -120,7 +120,7 @@ namespace QPatternist private: static DynamicContext::Ptr topFocusContext(const DynamicContext::Ptr &context); - const VariableDeclaration* m_declaration; + const VariableDeclaration::Ptr m_declaration; /** * This variable must not be called m_slot. If it so, a compiler bug on * HP-UX-aCC-64 is triggered in the constructor initializor. See the diff --git a/src/xmlpatterns/expr/qevaluationcache_tpl_p.h b/src/xmlpatterns/expr/qevaluationcache_tpl_p.h index 26f53b5..b8e09a9 100644 --- a/src/xmlpatterns/expr/qevaluationcache_tpl_p.h +++ b/src/xmlpatterns/expr/qevaluationcache_tpl_p.h @@ -58,7 +58,7 @@ template EvaluationCache::EvaluationCache(const Expression::Ptr &op, const VariableDeclaration::Ptr &varDecl, const VariableSlotID aSlot) : SingleContainer(op) - , m_declaration(varDecl.constData()) + , m_declaration(varDecl) , m_varSlot(aSlot) { Q_ASSERT(m_declaration); -- cgit v1.2.1