CVE-2026-10305
Description
rlottie library contains an out-of-bounds read vulnerability, potentially allowing buffer overreads.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rlottie library contains an out-of-bounds read vulnerability, potentially allowing buffer overreads.
Vulnerability
An out-of-bounds read vulnerability exists in the Samsung Open Source rlottie library. This issue allows for the overreading of buffers. The vulnerability affects rlottie versions prior to the commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd [1].
Exploitation
Details regarding the specific conditions or steps required for exploitation are not yet disclosed in the available references. An attacker would likely need to trigger a specific code path within the rlottie library that handles buffer operations to exploit this vulnerability.
Impact
Successful exploitation of this out-of-bounds read vulnerability could lead to the disclosure of sensitive information residing in memory beyond the intended buffer boundaries. The exact impact and privilege level depend on the context in which rlottie is used and the data accessible in the surrounding memory.
Mitigation
The vulnerability is addressed in rlottie by commit 223a2a41ba4f462e4abe767bebba49a366c9b9fd [1]. Users are advised to update to a version of rlottie that includes this fix. No other mitigation or workaround details are available in the provided references.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <223a2a41ba4f462e4abe767bebba49a366c9b9fd
Patches
1b4f5101a4d1afixed signed shift issue
2 files changed · +11 −6
src/vector/freetype/v_ft_raster.cpp+5 −5 modified@@ -187,17 +187,17 @@ typedef struct SW_FT_Outline_Funcs_ { #define ONE_PIXEL (1L << PIXEL_BITS) #define PIXEL_MASK (-1L << PIXEL_BITS) #define TRUNC(x) ((TCoord)((x) >> PIXEL_BITS)) -#define SUBPIXELS(x) ((TPos)(x) << PIXEL_BITS) +#define SUBPIXELS(x) ((TPos)((unsigned long)(x) << PIXEL_BITS)) #define FLOOR(x) ((x) & -ONE_PIXEL) #define CEILING(x) (((x) + ONE_PIXEL - 1) & -ONE_PIXEL) #define ROUND(x) (((x) + ONE_PIXEL / 2) & -ONE_PIXEL) #if PIXEL_BITS >= 6 -#define UPSCALE(x) ((x) << (PIXEL_BITS - 6)) +#define UPSCALE(x) ((TPos)((unsigned long)(x) << (PIXEL_BITS - 6))) #define DOWNSCALE(x) ((x) >> (PIXEL_BITS - 6)) #else -#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) -#define DOWNSCALE(x) ((x) << (6 - PIXEL_BITS)) +#define UPSCALE(x) ((x) >> (6 - PIXEL_BITS)) +#define DOWNSCALE(x) ((TPos)((unsigned long)(x) << (6 - PIXEL_BITS))) #endif /* Compute `dividend / divisor' and return both its quotient and */ @@ -1018,7 +1018,7 @@ static int SW_FT_Outline_Decompose(const SW_FT_Outline* outline, void* user) { #undef SCALED -#define SCALED(x) (((x) << shift) - delta) +#define SCALED(x) ((TPos)((unsigned long)(x) << shift) - delta) SW_FT_Vector v_last; SW_FT_Vector v_control;
src/vector/vdrawhelper.cpp+6 −1 modified@@ -138,6 +138,11 @@ bool VGradientCache::generateGradientColorTable(const VGradientStops &stops, if (!vCompare(opacity, 1.0f)) alpha = true; + if (stopCount == 0) { + for (int j = 0; j < size; ++j) colorTable[j] = 0; + return alpha; + } + start = stops.data(); curr = start; if (!curr->second.isOpaque()) alpha = true; @@ -153,7 +158,7 @@ bool VGradientCache::generateGradientColorTable(const VGradientStops &stops, fpos += incr; } - for (i = 0; i < stopCount - 1; ++i) { + for (i = 0; i + 1 < stopCount; ++i) { curr = (start + i); next = (start + i + 1); delta = 1 / (next->first - curr->first);
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
1- Samsung rlottie: Seven Medium-Severity Memory Corruption Vulnerabilities DisclosedVypr Intelligence · Jun 4, 2026