VYPR
← All advisories
Unrated severityNVD Advisory· Published May 18, 2021· Updated Aug 3, 2024

CVE-2021-31319

CVE-2021-31319

Description

Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 are affected by an Integer Overflow in the LOTGradient::populate function of their custom fork of the rlottie library. A remote attacker might be able to access heap memory out-of-bounds on a victim device via a malicious animated sticker.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An integer overflow in Telegram's rlottie LOTGradient::populate function allows remote attackers to trigger a heap out-of-bounds read via a malicious animated sticker.

Vulnerability

CVE-2021-31319 is an integer overflow vulnerability in the LOTGradient::populate function of Telegram's custom rlottie library [2]. Affected versions include Telegram Android <7.1.0 (2090), Telegram iOS <7.1, and Telegram macOS <7.1 [1]. The library processes animated stickers in the Lottie format. The field mColorPoints is attacker-controlled via the sticker data; the check colorPoints * 4 > size can overflow when colorPoints is a large signed integer, bypassing bounds validation [2].

Exploitation

A remote attacker can send a specially crafted animated sticker to a victim. No authentication or user interaction is required aside from the victim viewing the sticker in a chat [1]. The attacker provides a sticker with a crafted mColorPoints value that, when multiplied by 4, wraps to a negative number, causing the pointer arithmetic at ptr + (colorPoints * 4) to point before the allocated heap buffer [2]. Subsequent reads in the for loop then access out-of-bounds heap memory.

Impact

Successful exploitation results in a heap out-of-bounds read, potentially disclosing sensitive heap memory contents to the attacker [2]. The read occurs while the library processes the gradient of the animated sticker. The impact is limited to information disclosure; code execution is not indicated in the available references.

Mitigation

Telegram released fixed versions: Android v7.1.0 (2090) on September 30, 2020; iOS v7.1 on September 30, 2020; and macOS v7.1 on October 2, 2020 [1]. Users should update to these or later versions. No workaround exists for unpatched clients.

References
  1. Shielder - Hunting for bugs in Telegram's animated stickers remote attack surface
  2. Shielder - Telegram rlottie 7.0.1_2065 LOTGradient::populate Integer Overflow

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Integer overflow / missing bounds check in a loop writing to a fixed-size gradient color table allows heap out-of-bounds write."

Attack vector

An attacker sends a Telegram user a malicious animated sticker (a Lottie JSON file). When the victim's Telegram client renders the sticker, the rlottie library parses the JSON and eventually calls `VGradientCache::generateGradientColorTable`. The attacker controls the `curr-&gt;first` float value in the gradient stop data, which determines how many times the loop writes into the fixed-size `colorTable` array. Because `pos` is never checked against the array size, the loop writes 4 bytes of ARGB-encoded color data past the end of the heap-allocated buffer, causing a heap-buffer-overflow [ref_id=1].

Affected code

The vulnerability is in the `VGradientCache::generateGradientColorTable` function within `rlottie/src/vector/vdrawhelper.cpp`. The `colorTable` array is a fixed-size buffer (1024 elements), but the loop writing into it does not check `pos` against `size` before writing. The loop condition `while (fpos &lt;= curr-&gt;first)` uses `curr-&gt;first`, a float value taken directly from the attacker-controlled animated sticker JSON, allowing the loop to iterate far beyond the buffer bounds [ref_id=1].

What the fix does

Telegram patched the issue in client versions 7.1.0 (Android), 7.1 (iOS), and 7.1 (macOS) released in September/October 2020 [ref_id=1]. The advisory does not include a patch diff, but the fix would need to add a bounds check on `pos` against `size` inside the `while` loop in `generateGradientColorTable`, preventing writes beyond the `colorTable` array. The researcher notes that the other types of clients are not affected by the vulnerabilities identified [ref_id=1].

Preconditions

  • configVictim must use Telegram Android <7.1.0 (2090), Telegram iOS <7.1, or Telegram macOS <7.1
  • inputAttacker must deliver a malicious animated sticker (Lottie JSON) to the victim
  • inputVictim must open or view the animated sticker, triggering rlottie rendering

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.