Crashes during parsing of malformed JSON files

Hi team,

Some crashes were found while fuzz testing of the lottie2gif binary which can be triggered via malformed JSON files. Although these malformed files only crash the program, they could potentially be crafted further into security issues where these kinds of JSON files would be able compromise the process's memory through memory corruption, so hardening the code to prevent these kinds of bugs would be great to mitigate such issues.

See details below for repros and debug information.

crash-1.json

{"v":"4.6.10","fr":15,"ip":0,"op":155,"w":1080,"h":1920,"nm":"background","ddd":0,"assets":[],"layers":[{"ddd":0,"ind":1,"ty":4,"nm":"Shape Layer 1","ks":{"o":{"a":0,"k":100},"r":{"a":0,"k":0},"p":{"a":0,"k":[540,960,0]},"a":{"a":0,"k":[0,0,0]},"s":{"a":0,"k":[100,100,100]}},"ao":0,"shapes":[{"ty":"gr","it":[{"ty":"rc","d":1,"s":{"a":0,"k":[1160,880]},"p":{"a":0,"k":[0,0]},"r":{"a":0,"k":0},"nm":"Rectangle Path 1","mn":"ADBE Vector Shape - Rect"},{"ty":"st","c":{"a":0,"k":[0.9960784,0.7843137,0.145098,1]},"o":{"a":0,"k":100},"w":{"a":0,"k":6},"lc":1,"lj":1,"ml":4,"nm":"Stroke 1","mn":"ADBE Vector Graphic - Stroke"},{"ty":"gf","o":{"a":0,"k":100},"r":1,"g":{"p":3,"k":{"a":1,"k":[{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":0,"s":[0,0.511,0.89,0.283,0.5,0.334,0.873,0.583,1,0.156,0.857,0.882],"e":[0,0.726,0.283,0.89,0.5,0.441,0.356,0.886,0,0.156,0.429,0.882]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":31,"s":[0,0.726,0.283,0.89,0.5,0.441,0.356,0.886,1,0.156,0.429,0.882],"e":[0,0.89,0.283,0.283,0.5,0.886,0.553,0.219,1,0.882,0.823,0.156]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":61,"s":[4294967297,0.89,0.283,0.283,0.5,0.886,0.553,0.219,1,0.882,0.823,0.156],"e":[0,0,0.312,0.737,0.5,0.078,0.597,0.754,1,0.156,0.882,0.771]},{"i":{"x":0.833,"y":12691291551.833},"o":{"x":0.167,"y":0.4294967295},"n":"0p833_0p833_0p170_0p167","t":91,"s":[0,0,0.312,0.737,0.5,0.078,0.597,0.754,1,0.156,0.882,0.771],"e":[0,0.51,0.89,0.282,0.5,0.333,0.873,0.582,1,0.157,0.855,0.882]},{"t":120}]}},"s":{"a":1,"k":[{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":0,"s":[-430.769,-404.573],"e":[23.726,-364.48],"to":[75.7491683959961,6.68213844299316],"ti":[-123.915840148926,-8.51547145843506]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":31,"s":[23.726,-364.48],"e":[312.726,-353.48],"to":[123.915840148926,8.51547145843506],"ti":[-1.00208830833435,-1.83333337306976]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":61,"s":[312.726,-353.48],"e":[29.739,-353.48],"to":[1.00208830833435,1.83333337306976],"ti":[120.055290222168,0.60746711492538]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":91,"s":[29.739,-353.48],"e":[-407.606,-357.125],"to":[-120.055290222168,-0.60746711492538],"ti":[72.8907089233398,0.60746711492538]},{"t":120}]},"e":{"a":1,"k":[{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":0,"s":[374.412,342.611],"e":[22.822,357.191],"to":[-58.5984153747559,2.42986845970154],"ti":[132.520950317383,-7.89707231521606]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":31,"s":[22.822,357.191],"e":[-420.714,389.994],"to":[-132.520950317383,7.89707231521606],"ti":[-4.68509674072266,-7.89707231521606]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":61,"s":[-420.714,389.994],"e":[50.932,404.573],"to":[4.68509674072266,7.89707231521606],"ti":[-132.918350219727,4.25226974487305]},{"i":{"x":0.833,"y":0.833},"o":{"x":0.167,"y":0.167},"n":"0p833_0p833_0p167_0p167","t":91,"s":[50.932,404.573],"e":[376.797,364.48],"to":[132.918350219727,-4.25226974487305],"ti":[-54.3107261657715,6.68213844299316]},{"t":120}]},"t":1,"nm":"Gradient Fill 1","mn":"ADBE Vector Graphic - G-Fill"},{"ty":"tr","p":{"a":0,"k":[0,0],"ix":2},"a":{"a":0,"k":[0,0],"ix":1},"s":{"a":0,"k":[93.29,219.491],"ix":3},"r":{"a":0,"k":0,"ix":6},"o":{"a":0,"k":100,"ix":7},"sk":{"a":0,"k":0,"ix":4},"sa":{"a":0,"k":0,"ix":5},"nm":"Transform"}],"nm":"Rectangle 1","np":3,"cix":2,"ix":1,"mn":"ADBE Vector Group"}],"ip":0,"op":155,"st":0,"bm":0,"sr":1},{"ddd":0,"ind":2,"ty":1,"nm":"Deep Red Solid 1","ks":{"o":{"a":0,"k":100},"r":{"a":0,"k":0},"p":{"a":0,"k":[540,960,0]},"a":{"a":0,"k":[540,960,0]},"s":{"a":0,"k":[100,100,100]}},"ao":0,"sw":1080,"sh":1920,"sc":"#be2a2a","ip":0,"op":155,"st":0,"bm":0,"sr":1}]}

Debug info

cmdline ['lottie2gif', 'crash-1.json'] exited with invalid memory access (SIGSEGV)

Reading symbols from lottie2gif...

Starting program: lottie2gif crash-1.json
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7ffff79b1700 (LWP 3357402)]
[New Thread 0x7ffff71b0700 (LWP 3357403)]

Thread 1 "lottie2gif" received signal SIGSEGV, Segmentation fault.
0x00007ffff7f979f3 in VGradientCache::generateGradientColorTable (
    this=this@entry=0x7ffff7fc6540 <VGradientCache::instance()::CACHE>, 
    stops=std::vector of length 3, capacity 4 = {...}, opacity=1, 
    colorTable=colorTable@entry=0x555555581a90, size=size@entry=1024)
    at ../src/vector/vdrawhelper.cpp:151
151         colorTable[pos] = colorTable[pos - 1];

#0  0x00007ffff7f979f3 in VGradientCache::generateGradientColorTable (
    this=this@entry=0x7ffff7fc6540 <VGradientCache::instance()::CACHE>, 
    stops=std::vector of length 3, capacity 4 = {...}, opacity=1, 
    colorTable=colorTable@entry=0x555555581a90, size=size@entry=1024)
    at ../src/vector/vdrawhelper.cpp:151
#1  0x00007ffff7f98761 in VGradientCache::addCacheElement (
    this=this@entry=0x7ffff7fc6540 <VGradientCache::instance()::CACHE>, 
    hash_val=hash_val@entry=12878915072, gradient=...)
    at ../src/vector/vbrush.h:44
#2  0x00007ffff7f98ac2 in VGradientCache::getBuffer (
    this=0x7ffff7fc6540 <VGradientCache::instance()::CACHE>, gradient=...)
    at ../src/vector/vdrawhelper.cpp:89
#3  0x00007ffff7f97e67 in VSpanData::setup (this=this@entry=0x7fffffffdf98, 
    brush=...) at ../src/vector/vdrawhelper.cpp:661
#4  0x00007ffff7f9612d in VPainter::setBrush (this=this@entry=0x7fffffffdf68, 
    brush=...) at ../src/vector/vpainter.cpp:116
#5  0x00007ffff7fb76f6 in rlottie::internal::renderer::Layer::render (
    this=0x55555556faa8, painter=0x7fffffffdf68, inheritMask=..., matteRle=...)
    at ../src/lottie/lottieitem.cpp:234
#6  0x00007ffff7fb799a in rlottie::internal::renderer::CompLayer::renderHelper
    (this=0x55555556f960, painter=0x7fffffffdf68, inheritMask=..., 
    matteRle=..., cache=...) at ../src/lottie/lottieitem.cpp:549
#7  0x00007ffff7fb7359 in rlottie::internal::renderer::Composition::render (
    this=0x55555556f840, surface=...) at ../src/vector/vrle.h:34
#8  0x00007ffff7fb3652 in AnimationImpl::render (
    keepAspectRatio=<optimized out>, surface=..., frameNo=<optimized out>, 
    this=0x55555556f7f0) at /usr/include/c++/9/bits/unique_ptr.h:360
#9  AnimationImpl::render (this=0x55555556f7f0, frameNo=<optimized out>, 
    surface=..., keepAspectRatio=<optimized out>)
    at ../src/lottie/lottieanimation.cpp:108
#10 0x00007ffff7fb37d6 in rlottie::Animation::renderSync (
    this=<optimized out>, frameNo=<optimized out>, surface=..., 
    keepAspectRatio=<optimized out>)
    at /usr/include/c++/9/bits/unique_ptr.h:360
#11 0x0000555555558034 in App::render (this=0x7fffffffe2b0, w=<optimized out>, 
    h=<optimized out>) at /usr/include/c++/9/bits/unique_ptr.h:360
#12 0x0000555555556571 in main (argc=<optimized out>, argv=<optimized out>)
    at ../example/lottie2gif.cpp:175

rax            0x8d15c             577884
rbx            0x555555571340      93824992351040
rcx            0xffe24848          4293019720
rdx            0x0                 0
rsi            0xff                255
rdi            0x555555571344      93824992351044
rbp            0x400               0x400
rsp            0x7fffffffdc80      0x7fffffffdc80
r8             0xff                255
r9             0xd1                209
r10            0xe0                224
r11            0x7ffff7d6abff      140737351429119
r12            0x3                 3
r13            0xffe24848          4293019720
r14            0x555555581a90      93824992418448
r15            0x555555581a00      93824992418304
rip            0x7ffff7f979f3      0x7ffff7f979f3 <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+161>
eflags         0x10202             [ IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

=> 0x7ffff7f979f3 <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+161>:    mov    %ecx,(%r14,%rax,4)
   0x7ffff7f979f7 <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+165>:    inc    %rax
   0x7ffff7f979fa <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+168>:    
    jmp    0x7ffff7f979e2 <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+144>
   0x7ffff7f979fc <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+170>:    lea    -0x1(%r12),%rax

'exploitable' version 1.32
Linux ubuntu 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64
Signal si_signo: 11 Signal si_addr: 93824994729984
Nearby code:
   0x00007ffff7f979e2 <+144>:   comiss xmm2,xmm1
   0x00007ffff7f979e5 <+147>:   movsxd rcx,eax
   0x00007ffff7f979e8 <+150>:   jb     0x7ffff7f979fc <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+170>
   0x00007ffff7f979ea <+152>:   mov    ecx,DWORD PTR [r14+rax*4-0x4]
   0x00007ffff7f979ef <+157>:   addss  xmm1,xmm3
=> 0x00007ffff7f979f3 <+161>:   mov    DWORD PTR [r14+rax*4],ecx
   0x00007ffff7f979f7 <+165>:   inc    rax
   0x00007ffff7f979fa <+168>:   jmp    0x7ffff7f979e2 <VGradientCache::generateGradientColorTable(std::vector<std::pair<float, VColor>, std::allocator<std::pair<float, VColor> > > const&, float, unsigned int*, int)+144>
   0x00007ffff7f979fc <+170>:   lea    rax,[r12-0x1]
   0x00007ffff7f97a01 <+175>:   add    rbx,0xc

Stack trace:
#  0 VGradientCache::generateGradientColorTable at 0x7ffff7f979f3 in build/src/librlottie.so.0.2
#  1 VGradientCache::addCacheElement at 0x7ffff7f98761 in build/src/librlottie.so.0.2
#  2 VGradientCache::getBuffer at 0x7ffff7f98ac2 in build/src/librlottie.so.0.2
#  3 VSpanData::setup at 0x7ffff7f97e67 in build/src/librlottie.so.0.2
#  4 VPainter::setBrush at 0x7ffff7f9612d in build/src/librlottie.so.0.2
#  5 rlottie::internal::renderer::Layer::render at 0x7ffff7fb76f6 in build/src/librlottie.so.0.2
#  6 rlottie::internal::renderer::CompLayer::renderHelper at 0x7ffff7fb799a in build/src/librlottie.so.0.2
#  7 rlottie::internal::renderer::Composition::render at 0x7ffff7fb7359 in build/src/librlottie.so.0.2
#  8 AnimationImpl::render at 0x7ffff7fb3652 in build/src/librlottie.so.0.2
#  9 AnimationImpl::render at 0x7ffff7fb3652 in build/src/librlottie.so.0.2
# 10 rlottie::Animation::renderSync at 0x7ffff7fb37d6 in build/src/librlottie.so.0.2
# 11 App::render at 0x555555558034 in build/example/lottie2gif
# 12 main at 0x555555556571 in build/example/lottie2gif

Faulting frame: #  0 VGradientCache::generateGradientColorTable at 0x7ffff7f979f3 in build/src/librlottie.so.0.2
Description: Access violation on destination operand
Short description: DestAv (8/22)
Hash: fc8f4192fb8b1c115c0cd2cee25e0f13.26d2445692c3b39141bc2b05a5c10380
Exploitability Classification: EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control the write address and/or value.
Other tags: AccessViolation (21/22)

crash-2.json

{"":"","":0,"":0,"":0,"":0,"":0,"":"","":1,"":[],"layers":[{"":1,"":1,"":4,"":"","":1,"":{"":{"":0,"":0,"":1},"":{"":0,"":0,"":8},"":{"":0,"":0,"":9},"":{"":1,"":[{"":{"":[0.3],"":[0.3]},"":{"":[0.6],"":[0.6]},"":[""],"":0,"":[],"":[]},{"":5}],"":0},"":{"":0,"":[0,0,0],"":7},"":{"":0,"":[],"":2},"":{"":0,"":[0,0,0],"":1},"":{"":0,"":[],"":6}},"":0,"shapes":[{"":"","":1,"":{"":0,"":[],"":2},"":{"":0,"":[0,0],"":3},"":{"":0,"":0,"":4},"":"","":"","":false},{"ty"]}

Debug info

cmdline ['lottie2gif', 'crash-2.json'] exited with invalid memory access (SIGSEGV)

Reading symbols from lottie2gif...

Starting program: lottie2gif crash-2.json
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
101 ../sysdeps/x86_64/multiarch/strcmp-avx2.S: No such file or directory.
#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:101
#1  0x00007ffff7fa9d62 in LottieParserImpl::parseObjectTypeAttr (
    this=this@entry=0x7fffffffdca8) at ../src/lottie/lottieparser.cpp:1143
#2  0x00007ffff7fa9f82 in LottieParserImpl::parseObject (
    this=this@entry=0x7fffffffdca8, parent=parent@entry=0x55555556e820)
    at ../src/lottie/lottieparser.cpp:1190
#3  0x00007ffff7faa08b in LottieParserImpl::parseShapesAttr (
    this=this@entry=0x7fffffffdca8, layer=0x55555556e820)
    at ../src/lottie/lottieparser.cpp:1136
#4  0x00007ffff7faa38c in LottieParserImpl::parseLayer (
    this=this@entry=0x7fffffffdca8) at ../src/lottie/lottieparser.cpp:1011
#5  0x00007ffff7faac2d in LottieParserImpl::parseLayers (
    this=this@entry=0x7fffffffdca8, comp=comp@entry=0x55555556e6b0)
    at ../src/lottie/lottieparser.cpp:883
#6  0x00007ffff7faae0e in LottieParserImpl::parseComposition (
    this=this@entry=0x7fffffffdca8) at ../src/lottie/lottieparser.cpp:676
#7  0x00007ffff7fab138 in rlottie::internal::model::parse(char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::function<void (float&, float&, float&)>) (str=0x555555570540 "{\"", dir_path="", 
    filter=...) at ../src/lottie/lottieparser.cpp:2371
#8  0x00007ffff7fb0f64 in rlottie::internal::model::loadFromFile (
    path="crash-2.json", 
    cachePolicy=<optimized out>) at /usr/include/c++/9/bits/basic_string.h:2300
#9  0x00007ffff7fb3d47 in rlottie::Animation::loadFromFile (path=..., 
    cachePolicy=<optimized out>) at ../src/lottie/lottieanimation.cpp:319
#10 0x0000555555557efe in App::render (this=0x7fffffffe2b0, w=200, h=200)
    at ../example/lottie2gif.cpp:82
#11 0x0000555555556571 in main (argc=<optimized out>, argv=<optimized out>)
    at ../example/lottie2gif.cpp:175

rax            0xc5b               3163
rbx            0x55555556e820      93824992340000
rcx            0xfffffffc          4294967292
rdx            0x0                 0
rsi            0x7ffff7fc2c5b      140737353886811
rdi            0x0                 0
rbp            0x7fffffffdca8      0x7fffffffdca8
rsp            0x7fffffffda98      0x7fffffffda98
r8             0x7ffff7fc11c4      140737353880004
r9             0x7fffffffdca8      140737488346280
r10            0x0                 0
r11            0x1fffffffffffff    9007199254740991
r12            0x0                 0
r13            0x7fffffffdb01      140737488345857
r14            0x555555570540      93824992347456
r15            0x7fffffffde80      140737488346752
rip            0x7ffff7d05b7e      0x7ffff7d05b7e <__strcmp_avx2+30>
eflags         0x10287             [ CF PF SF IF RF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

=> 0x7ffff7d05b7e <__strcmp_avx2+30>:   vmovdqu (%rdi),%ymm1
   0x7ffff7d05b82 <__strcmp_avx2+34>:   vpcmpeqb (%rsi),%ymm1,%ymm0
   0x7ffff7d05b86 <__strcmp_avx2+38>:   vpminub %ymm1,%ymm0,%ymm0
   0x7ffff7d05b8a <__strcmp_avx2+42>:   vpcmpeqb %ymm7,%ymm0,%ymm0

'exploitable' version 1.32
Linux ubuntu 5.11.0-43-generic #47~20.04.2-Ubuntu SMP Mon Dec 13 11:06:56 UTC 2021 x86_64
Signal si_signo: 11 Signal si_addr: 0
Nearby code:
   0x00007ffff7d05b68 <+8>: vpxor  ymm7,ymm7,ymm7
   0x00007ffff7d05b6c <+12>:    or     eax,esi
   0x00007ffff7d05b6e <+14>:    and    eax,0xfff
   0x00007ffff7d05b73 <+19>:    cmp    eax,0xf80
   0x00007ffff7d05b78 <+24>:    jg     0x7ffff7d05ed0 <__strcmp_avx2+880>
=> 0x00007ffff7d05b7e <+30>:    vmovdqu ymm1,YMMWORD PTR [rdi]
   0x00007ffff7d05b82 <+34>:    vpcmpeqb ymm0,ymm1,YMMWORD PTR [rsi]
   0x00007ffff7d05b86 <+38>:    vpminub ymm0,ymm0,ymm1
   0x00007ffff7d05b8a <+42>:    vpcmpeqb ymm0,ymm0,ymm7
   0x00007ffff7d05b8e <+46>:    vpmovmskb ecx,ymm0

Stack trace:
#  0 __strcmp_avx2 at 0x7ffff7d05b7e in /usr/lib/x86_64-linux-gnu/libc-2.31.so (BL)
#  1 LottieParserImpl::parseObjectTypeAttr at 0x7ffff7fa9d62 in build/src/librlottie.so.0.2
#  2 LottieParserImpl::parseObject at 0x7ffff7fa9f82 in build/src/librlottie.so.0.2
#  3 LottieParserImpl::parseShapesAttr at 0x7ffff7faa08b in build/src/librlottie.so.0.2
#  4 LottieParserImpl::parseLayer at 0x7ffff7faa38c in build/src/librlottie.so.0.2
#  5 LottieParserImpl::parseLayers at 0x7ffff7faac2d in build/src/librlottie.so.0.2
#  6 LottieParserImpl::parseComposition at 0x7ffff7faae0e in build/src/librlottie.so.0.2
#  7 rlottie::internal::model::parse(char*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::function<void (float&, float&, float&)>) at 0x7ffff7fab138 in build/src/librlottie.so.0.2
#  8 rlottie::internal::model::loadFromFile at 0x7ffff7fb0f64 in build/src/librlottie.so.0.2
#  9 rlottie::Animation::loadFromFile at 0x7ffff7fb3d47 in build/src/librlottie.so.0.2
# 10 App::render at 0x555555557efe in build/example/lottie2gif
# 11 main at 0x555555556571 in build/example/lottie2gif

Faulting frame: #  1 LottieParserImpl::parseObjectTypeAttr at 0x7ffff7fa9d62 in build/src/librlottie.so.0.2
Description: Access violation near NULL on source operand
Short description: SourceAvNearNull (16/22)
Hash: 144724c9535bd48a32da03bdf0cbf2d2.8e692ec4cec22337ecc995f54592e137
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation, which may mean the application crashed on a simple NULL dereference to data structure that has no immediate effect on control of the processor.
Other tags: AccessViolation (21/22)

Samsung / rlottie

Crashes during parsing of malformed JSON files #514