GDAL through 3.0.1 has a poolDestroy double free in OGRExpatRealloc in ogr/ogr_expat.cpp when the 10MB threshold is exceeded.
{ "vanir_signatures": [ { "target": { "file": "gdal/ogr/ogr_expat.cpp", "function": "OGRExpatRealloc" }, "digest": { "function_hash": "110395127982434165459425119816292298899", "length": 159.0 }, "signature_type": "Function", "source": "https://github.com/osgeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb", "deprecated": false, "id": "CVE-2019-17545-953d6849", "signature_version": "v1" }, { "target": { "file": "gdal/ogr/ogr_expat.cpp" }, "digest": { "threshold": 0.9, "line_hashes": [ "308229990210759106968400908252313392300", "152172563583615806696898864395479245553", "259181652519837524019465353356666549752", "91935301074849414130272711771149295592" ] }, "signature_type": "Line", "source": "https://github.com/osgeo/gdal/commit/148115fcc40f1651a5d15fa34c9a8c528e7147bb", "deprecated": false, "id": "CVE-2019-17545-bbef44bd", "signature_version": "v1" } ] }