From 83eb8ba37b8fb2da06e897375521fa44265df201 Mon Sep 17 00:00:00 2001
From: Jinny You <jinny@lottiefiles.com>
Date: Mon, 13 May 2024 16:38:29 +0900
Subject: [PATCH] lottie/slot: Fix slot resetting bug

When resetting back to animated property, system causes an UAF because frames have been freed.

Mark frames in nullptr at the case, so it doesn't use frame data after freed.

Issue: #2255
---
 src/loaders/lottie/tvgLottieModel.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/loaders/lottie/tvgLottieModel.h b/src/loaders/lottie/tvgLottieModel.h
index 41ab5b3d..75edd061 100644
--- a/src/loaders/lottie/tvgLottieModel.h
+++ b/src/loaders/lottie/tvgLottieModel.h
@@ -712,16 +712,19 @@ struct LottieSlot
                 case LottieProperty::Type::ColorStop: {
                     static_cast<LottieGradient*>(pair->obj)->colorStops.release();
                     static_cast<LottieGradient*>(pair->obj)->colorStops = *static_cast<LottieColorStop*>(pair->prop);
+                    static_cast<LottieColorStop*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::Color: {
                     static_cast<LottieSolid*>(pair->obj)->color.release();
                     static_cast<LottieSolid*>(pair->obj)->color = *static_cast<LottieColor*>(pair->prop);
+                    static_cast<LottieColor*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::TextDoc: {
                     static_cast<LottieText*>(pair->obj)->doc.release();
                     static_cast<LottieText*>(pair->obj)->doc = *static_cast<LottieTextDoc*>(pair->prop);
+                    static_cast<LottieTextDoc*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 default: break;