From 7f6311f95f189095dc84ad2512069bd69375f802 Mon Sep 17 00:00:00 2001
From: Jinny You <jinny@lottiefiles.com>
Date: Mon, 13 May 2024 16:38:29 +0900
Subject: [PATCH] lottie/slot: Fix slot resetting bug

When resetting back to animated property, system causes an UAF because frames have been freed.

Mark frames in nullptr at the case, so it doesn't use frame data after freed.

Issue: #2255
---
 src/loaders/lottie/tvgLottieModel.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/loaders/lottie/tvgLottieModel.h b/src/loaders/lottie/tvgLottieModel.h
index 41ab5b3d..75edd061 100644
--- a/src/loaders/lottie/tvgLottieModel.h
+++ b/src/loaders/lottie/tvgLottieModel.h
@@ -712,16 +712,19 @@ struct LottieSlot
                 case LottieProperty::Type::ColorStop: {
                     static_cast<LottieGradient*>(pair->obj)->colorStops.release();
                     static_cast<LottieGradient*>(pair->obj)->colorStops = *static_cast<LottieColorStop*>(pair->prop);
+                    static_cast<LottieColorStop*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::Color: {
                     static_cast<LottieSolid*>(pair->obj)->color.release();
                     static_cast<LottieSolid*>(pair->obj)->color = *static_cast<LottieColor*>(pair->prop);
+                    static_cast<LottieColor*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::TextDoc: {
                     static_cast<LottieText*>(pair->obj)->doc.release();
                     static_cast<LottieText*>(pair->obj)->doc = *static_cast<LottieTextDoc*>(pair->prop);
+                    static_cast<LottieTextDoc*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 default: break;