qmake: fix hypothetical raw data leak in $$replace()

the replacement value may well constitute the whole output string - this
is in fact common, given this rather typical usage pattern:

  BAR = $$replace(FOO, -flag, -otherflag)

this must be considered when constructing the return value.
compare e1cee308a.

as of now, this is irrelevant, as QString::replace(QRegExp, QString) will
always memcpy the replacement into a detached copy of the target, but one
never knows.

Change-Id: Ia1f271f45023746040fc28ce6d88a6609e05e5c2
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
(cherry picked from qtbase/e8b9a17a3bd770f6bf1bc8f4e0586565acf425e2)
Reviewed-by: Tobias Hunger <tobias.hunger@qt.io>

1 files changed, 5 insertions, 1 deletions

diff --git a/src/shared/proparser/qmakebuiltins.cpp b/src/shared/proparser/qmakebuiltins.cpp
index 102252fdaf..5bfbdca8d6 100644
--- a/src/shared/proparser/qmakebuiltins.cpp
+++ b/src/shared/proparser/qmakebuiltins.cpp
@@ -1112,7 +1112,11 @@ QMakeEvaluator::VisitReturn QMakeEvaluator::evaluateBuiltinExpand(
                 QString rstr = val.toQString(m_tmp1);
                 QString copy = rstr; // Force a detach on modify
                 rstr.replace(before, after);
-                ret << (rstr.isSharedWith(m_tmp1) ? val : ProString(rstr).setSource(val));
+                ret << (rstr.isSharedWith(m_tmp1)
+                            ? val
+                            : rstr.isSharedWith(m_tmp2)
+                                ? args.at(2)
+                                : ProString(rstr).setSource(val));
             }
         }
         break;