From 9a8e9f1160e35eb8c8657fe451b38df0649b8242 Mon Sep 17 00:00:00 2001
From: daidai <changyuwei@selectdb.com>
Date: Fri, 6 Mar 2026 15:19:24 +0800
Subject: [PATCH] fix heap-use-after-free in ORC SearchArgument rewriteLeaves.

---
 c++/src/sargs/SearchArgument.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/c++/src/sargs/SearchArgument.cc b/c++/src/sargs/SearchArgument.cc
index ff0ba1e2d5..612f0912ef 100644
--- a/c++/src/sargs/SearchArgument.cc
+++ b/c++/src/sargs/SearchArgument.cc
@@ -315,7 +315,6 @@ namespace orc {
     // Perform BFS
     while (!nodes.empty()) {
       TreeNode& node = nodes.front();
-      nodes.pop_front();
 
       if (node->getOperator() == ExpressionTree::Operator::LEAF) {
         leaves.insert(node);
@@ -324,6 +323,7 @@ namespace orc {
           nodes.push_back(child);
         }
       }
+      nodes.pop_front();
     }
 
     // Update the leaf in place