CVE-2026-47320
Description
rlottie vulnerable to null pointer dereference and uncontrolled recursion, potentially leading to crashes or denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
rlottie vulnerable to null pointer dereference and uncontrolled recursion, potentially leading to crashes or denial of service.
Vulnerability
Samsung Open Source rlottie is affected by two vulnerabilities: an access of an uninitialized pointer and uncontrolled recursion. The uninitialized pointer issue occurs in Property::value() when animation keyframes are discarded during parsing, leaving the frames array empty, leading to a null pointer dereference. The uncontrolled recursion arises from cyclic parent layer references in Layer::matrix(), which can cause a stack overflow. These issues affect rlottie versions prior to commit eae37633fda13ac05b25c6c95aacea4bc33c80a3 [1].
Exploitation
An attacker could exploit these vulnerabilities by providing specially crafted animation data. For the null pointer dereference, the attacker would need to craft an animation that results in empty frames after parsing. For the uncontrolled recursion, the attacker would need to create a complex, cyclic parent-child layer structure within the animation data. No specific network position, authentication, or user interaction is mentioned as required for exploitation in the available references.
Impact
Successful exploitation of the null pointer dereference vulnerability can lead to a crash in the rlottie library, resulting in a denial of service. The uncontrolled recursion vulnerability can lead to a stack overflow, also resulting in a denial of service. The specific impact on the application using rlottie depends on how the library is integrated and how crashes are handled.
Mitigation
These vulnerabilities were addressed in rlottie by commit eae37633fda13ac05b25c6c95aacea4bc33c80a3 [1]. The fix for the null pointer dereference involves adding an empty-frames guard in Property::value(). The fix for uncontrolled recursion involves adding depth limiting to Layer::matrix(). Users are advised to update to a version of rlottie that includes this commit. No information regarding workarounds or end-of-life status is available in the provided references.
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <eae37633fda13ac05b25c6c95aacea4bc33c80a3
Patches
166f57706a5daMerge eae37633fda13ac05b25c6c95aacea4bc33c80a3 into ffe60942892c3d68b14560761ea920d360ef51bb
3 files changed · +11 −1
src/lottie/lottieitem.cpp+9 −1 modified@@ -447,8 +447,16 @@ void renderer::Layer::update(int frameNumber, const VMatrix &parentMatrix, VMatrix renderer::Layer::matrix(int frameNo) const { + return matrix(frameNo, 0); +} + +VMatrix renderer::Layer::matrix(int frameNo, int depth) const +{ + // Prevent infinite recursion from cyclic parent references + if (depth > 64) return VMatrix{}; + return mParentLayer - ? (mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo)) + ? (mLayerData->matrix(frameNo) * mParentLayer->matrix(frameNo, depth + 1)) : mLayerData->matrix(frameNo); }
src/lottie/lottieitem.h+1 −0 modified@@ -223,6 +223,7 @@ class Layer { virtual void update(int frameNo, const VMatrix &parentMatrix, float parentAlpha); VMatrix matrix(int frameNo) const; + VMatrix matrix(int frameNo, int depth) const; void preprocess(const VRect &clip); virtual DrawableList renderList() { return {}; } virtual void render(VPainter *painter, const VRle &mask,
src/lottie/lottiemodel.h+1 −0 modified@@ -345,6 +345,7 @@ class Property { value().toPath(path); } else { const auto &vec = animation().frames_; + if (vec.empty()) return; if (vec.front().start_ >= frameNo) return vec.front().value_.start_.toPath(path); if (vec.back().end_ <= frameNo)
Vulnerability mechanics
Root cause
"The library fails to handle empty keyframes during parsing and does not limit recursion depth for layer parent references."
Attack vector
An attacker can craft a malicious lottie file containing oversized serialized data payloads or cyclic parent layer references. When this file is parsed by the rlottie library, it can trigger a null pointer dereference or a stack overflow. The null pointer dereference occurs when animation keyframes are discarded, leaving the frames array empty, and the stack overflow happens when layer parent references exceed 64 levels [ref_id=1].
Affected code
The vulnerability resides in the `Property<PathData>::value()` method within `lottiemodel.h` and the `Layer::matrix()` method in `lottieitem.cpp`. The former is susceptible to null pointer dereferences due to missing empty-frames guards, while the latter can lead to stack overflows from uncontrolled recursion in layer parent handling [ref_id=1].
What the fix does
The patch addresses two stability issues. First, it adds a guard for empty frames in the Property<PathData>::value() method to prevent null pointer dereferences when keyframes are discarded [patch_id=4787682]. Second, it implements depth limiting in Layer::matrix() to prevent stack overflows caused by cyclic layer parent references, returning an identity matrix if the depth exceeds 64 levels [patch_id=4787682].
Preconditions
- inputA specially crafted lottie file.
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
1- Samsung rlottie: Seven Medium-Severity Memory Corruption Vulnerabilities DisclosedVypr Intelligence · Jun 4, 2026