From f00d3b5627ea6220c3970a868f4b3670aa530fbf Mon Sep 17 00:00:00 2001
From: Jinny You <jinny@lottiefiles.com>
Date: Mon, 13 May 2024 16:38:29 +0900
Subject: [PATCH] lottie/slot: Fix slot resetting bug

When resetting back to animated property, system causes an UAF because frames have been freed.

Mark frames in nullptr at the case, so it doesn't use frame data after freed.

Issue: #2255
---
 src/loaders/lottie/tvgLottieModel.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/loaders/lottie/tvgLottieModel.h b/src/loaders/lottie/tvgLottieModel.h
index 41ab5b3d..75edd061 100644
--- a/src/loaders/lottie/tvgLottieModel.h
+++ b/src/loaders/lottie/tvgLottieModel.h
@@ -712,16 +712,19 @@ struct LottieSlot
                 case LottieProperty::Type::ColorStop: {
                     static_cast<LottieGradient*>(pair->obj)->colorStops.release();
                     static_cast<LottieGradient*>(pair->obj)->colorStops = *static_cast<LottieColorStop*>(pair->prop);
+                    static_cast<LottieColorStop*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::Color: {
                     static_cast<LottieSolid*>(pair->obj)->color.release();
                     static_cast<LottieSolid*>(pair->obj)->color = *static_cast<LottieColor*>(pair->prop);
+                    static_cast<LottieColor*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 case LottieProperty::Type::TextDoc: {
                     static_cast<LottieText*>(pair->obj)->doc.release();
                     static_cast<LottieText*>(pair->obj)->doc = *static_cast<LottieTextDoc*>(pair->prop);
+                    static_cast<LottieTextDoc*>(pair->prop)->frames = nullptr;
                     break;
                 }
                 default: break;