git_clone/thorvg
1
0
Fork 0
mirror of https://github.com/thorvg/thorvg.git synced 2025-06-08 13:43:43 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

lottie/slot: Fix slot resetting bug

Browse source 
When resetting back to animated property, system causes an UAF because frames have been freed.

Mark frames in nullptr at the case, so it doesn't use frame data after freed.

Issue: #2255
This commit is contained in:
Jinny You 2024-05-13 16:38:29 +09:00 committed by Hermet Park
parent edbd2d7728
commit f00d3b5627
1 changed files with 3 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
src/loaders/lottie/tvgLottieModel.h
View file

@ -712,16 +712,19 @@ struct LottieSlot
case LottieProperty::Type::ColorStop: { case LottieProperty::Type::ColorStop: {
static_cast<LottieGradient*>(pair->obj)->colorStops.release(); static_cast<LottieGradient*>(pair->obj)->colorStops.release();
static_cast<LottieGradient*>(pair->obj)->colorStops = *static_cast<LottieColorStop*>(pair->prop); static_cast<LottieGradient*>(pair->obj)->colorStops = *static_cast<LottieColorStop*>(pair->prop);
static_cast<LottieColorStop*>(pair->prop)->frames = nullptr;
break; break;
} }
case LottieProperty::Type::Color: { case LottieProperty::Type::Color: {
static_cast<LottieSolid*>(pair->obj)->color.release(); static_cast<LottieSolid*>(pair->obj)->color.release();
static_cast<LottieSolid*>(pair->obj)->color = *static_cast<LottieColor*>(pair->prop); static_cast<LottieSolid*>(pair->obj)->color = *static_cast<LottieColor*>(pair->prop);
static_cast<LottieColor*>(pair->prop)->frames = nullptr;
break; break;
} }
case LottieProperty::Type::TextDoc: { case LottieProperty::Type::TextDoc: {
static_cast<LottieText*>(pair->obj)->doc.release(); static_cast<LottieText*>(pair->obj)->doc.release();
static_cast<LottieText*>(pair->obj)->doc = *static_cast<LottieTextDoc*>(pair->prop); static_cast<LottieText*>(pair->obj)->doc = *static_cast<LottieTextDoc*>(pair->prop);
static_cast<LottieTextDoc*>(pair->prop)->frames = nullptr;
break; break;
} }
default: break; default: break;