From e8b9a17a3bd770f6bf1bc8f4e0586565acf425e2 Mon Sep 17 00:00:00 2001
From: Oswald Buddenhagen <oswald.buddenhagen@qt.io>
Date: Fri, 11 Aug 2017 13:41:39 +0200
Subject: qmake: fix hypothetical raw data leak in $$replace()

the replacement value may well constitute the whole output string - this
is in fact common, given this rather typical usage pattern:

  BAR = $$replace(FOO, -flag, -otherflag)

this must be considered when constructing the return value.
compare 3c8134958c6.

as of now, this is irrelevant, as QString::replace(QRegExp, QString) will
always memcpy the replacement into a detached copy of the target, but one
never knows.

Change-Id: Ia1f271f45023746040fc28ce6d88a6609e05e5c2
Reviewed-by: Joerg Bornemann <joerg.bornemann@qt.io>
---
 qmake/library/qmakebuiltins.cpp | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/qmake/library/qmakebuiltins.cpp b/qmake/library/qmakebuiltins.cpp
index acc1924e80..1b98cbd909 100644
--- a/qmake/library/qmakebuiltins.cpp
+++ b/qmake/library/qmakebuiltins.cpp
@@ -1111,7 +1111,11 @@ QMakeEvaluator::VisitReturn QMakeEvaluator::evaluateBuiltinExpand(
                 QString rstr = val.toQString(m_tmp1);
                 QString copy = rstr; // Force a detach on modify
                 rstr.replace(before, after);
-                ret << (rstr.isSharedWith(m_tmp1) ? val : ProString(rstr).setSource(val));
+                ret << (rstr.isSharedWith(m_tmp1)
+                            ? val
+                            : rstr.isSharedWith(m_tmp2)
+                                ? args.at(2)
+                                : ProString(rstr).setSource(val));
             }
         }
         break;
-- 
cgit v1.2.3