id summary reporter owner description type status priority milestone component version severity resolution keywords cc 2349 Memory bug in OGRGMLLayer::GetNextFeature() when using attribute filter titan Even Rouault "This pertains to the GML driver in OGR, when the user sets an attribute filter, then iterates over the features that match this query. A simple use case (pseudo C code): {{{ OGR_L_ResetReading(layer); OGR_L_SetAttributeFilter(layer, ""height > 200""); for( feature = OGR_L_GetNextFeature(layer); feature; feature = OGR_L_GetNextFeature(layer) ) { } }}} There is an apparent double-delete bug in OGRGMLLayer::!GetNextFeature(). The scenario begins in the while loop, when poGeom is constructed (ogrgmllayer.cpp:156). Let's then imagine that the attribute query fails. poOGRFeature is deleted but poGeom is not. As we begin the next iteration, we delete poGeom but do not mark it NULL. At this point, if the second feature also fails the query, we will attempt to delete the first poGeom ''again'' on the third iteration. The obvious patch, which I am currently testing, is to mark poGeom NULL when it is deleted (line 127). Maybe there is another way, considering the different cases where poGeom needs to be deleted. " defect closed normal 1.5.2 OGR_SF 1.5.1 normal fixed GML memory delete heap poGeom attribute filter titan warmerdam