Fix two use-after-free issues found by address sanitizer.

libgnucash/engine/Split.cpp

@@ -706,7 +706,13 @@ xaccFreeSplit (Split *split)
     }
     CACHE_REMOVE(split->memo);
     CACHE_REMOVE(split->action);
-
+    if (GNC_IS_ACCOUNT (split->acc) && !qof_instance_get_destroying (QOF_INSTANCE (split->acc)))
+        gnc_account_remove_split (split->acc, split);
+    if (GNC_IS_LOT (split->lot) && !qof_instance_get_destroying (QOF_INSTANCE (split->lot)))
+        gnc_lot_remove_split (split->lot, split);
+/* We should do the same for split->parent but we might be getting
+ * called from xaccFreeTransactiob abd tgat would cause trouble.
+ */
     /* Just in case someone looks up freed memory ... */
     split->memo        = (char *) 1;
     split->action      = NULL;

libgnucash/engine/Transaction.cpp

@@ -1509,7 +1509,11 @@ do_destroy (Transaction *trans)
        done for the next split, then a split will still be on the split list after it
        has been freed.  This can cause other parts of the code (e.g. in xaccSplitDestroy())
        to reference the split after it has been freed. */
-    for (node = trans->splits; node; node = node->next)
+
+    auto splits = trans->splits;
+    trans->splits = NULL;
+
+    for (node = splits; node; node = node->next)
     {
         Split *s = GNC_SPLIT(node->data);
         if (s && s->parent == trans)
@@ -1517,7 +1521,7 @@ do_destroy (Transaction *trans)
             xaccSplitDestroy(s);
         }
     }
-    for (node = trans->splits; node; node = node->next)
+    for (node = splits; node; node = node->next)
     {
         Split *s = GNC_SPLIT(node->data);
         if (s && s->parent == trans)
@@ -1526,7 +1530,6 @@ do_destroy (Transaction *trans)
         }
     }
     g_list_free (trans->splits);
-    trans->splits = NULL;
     xaccFreeTransaction (trans);
 }