Fix access after free in evaluation cache

If a let expression is compressed away to just its value, let the
value keep a reference to the variable declaration.

Task-number: QTBUG-63613
Change-Id: I544ca682627c0fc0fe13984602aefbaaf3df4533
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>

2 files changed, 2 insertions, 2 deletions

diff --git a/src/xmlpatterns/expr/qevaluationcache_p.h b/src/xmlpatterns/expr/qevaluationcache_p.h
index 6c2efc7..d3ac422 100644
--- a/src/xmlpatterns/expr/qevaluationcache_p.h
+++ b/src/xmlpatterns/expr/qevaluationcache_p.h
@@ -120,7 +120,7 @@ namespace QPatternist
 
     private:
         static DynamicContext::Ptr topFocusContext(const DynamicContext::Ptr &context);
-        const VariableDeclaration*  m_declaration;
+        const VariableDeclaration::Ptr m_declaration;
         /**
          * This variable must not be called m_slot. If it so, a compiler bug on
          * HP-UX-aCC-64 is triggered in the constructor initializor. See the
diff --git a/src/xmlpatterns/expr/qevaluationcache_tpl_p.h b/src/xmlpatterns/expr/qevaluationcache_tpl_p.h
index 26f53b5..b8e09a9 100644
--- a/src/xmlpatterns/expr/qevaluationcache_tpl_p.h
+++ b/src/xmlpatterns/expr/qevaluationcache_tpl_p.h
@@ -58,7 +58,7 @@ template<bool IsForGlobal>
 EvaluationCache<IsForGlobal>::EvaluationCache(const Expression::Ptr &op,
                                               const VariableDeclaration::Ptr &varDecl,
                                               const VariableSlotID aSlot) : SingleContainer(op)
-                                                                          , m_declaration(varDecl.constData())
+                                                                          , m_declaration(varDecl)
                                                                           , m_varSlot(aSlot)
 {
     Q_ASSERT(m_declaration);