search

Samsung / rlottie

A platform independent standalone library that plays Lottie Animation.
Other
1.15k stars 223 forks source link

Result of fuzzing tests #522

Open mymedia2 opened 2 years ago

mymedia2 commented 2 years ago

I did some fuzzing and found six interesting JSONs that cause to crashes or undefined behaviour. It would be great to have them fixed.

Case 1

Valgrid noticed usage of uninitialized values. 001f.json {"v":"0","op":9,"layers":[{"ddd":0,"ks":{"r":{"k":[{"i":{},"":0}]}},"op":1}]}

Click to see output (valgrind ...) ``` mymedia@barberry:~/rlottie$ valgrind --track-origins=yes build/example/lottie2gif fuzz/collect/001f.json ==1821184== Memcheck, a memory error detector ==1821184== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1821184== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info ==1821184== Command: build/example/lottie2gif fuzz/collect/001f.json ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899F2F: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:240) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899F3C: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:240) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899F71: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:244) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899F82: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:244) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899F93: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:244) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899FA4: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:244) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899FCA: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:246) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899FDB: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:246) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899FEC: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:246) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4899FFD: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:246) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x489A023: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:248) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x489A034: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:248) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4DFE17F: __sinf_fma (s_sinf.c:45) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4DFE1C9: __sinf_fma (s_sinf.c:59) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4DFE285: __sinf_fma (s_sinf.c:71) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Use of uninitialised value of size 8 ==1821184== at 0x4DFE2C0: reduce_large (s_sincosf.h:84) ==1821184== by 0x4DFE2C0: __sinf_fma (s_sinf.c:76) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x4DFE32D: sinf_poly (sincosf_poly.h:90) ==1821184== by 0x4DFE32D: __sinf_fma (s_sinf.c:84) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ==1821184== at 0x48E41FA: void LottieParserImpl::parseKeyFrame(rlottie::internal::model::KeyFrames&) (lottieparser.cpp:2010) ==1821184== ==1821184== Use of uninitialised value of size 8 ==1821184== at 0x4DFE332: sinf_poly (sincosf_poly.h:93) ==1821184== by 0x4DFE332: __sinf_fma (s_sinf.c:84) ==1821184== by 0x489CD50: std::sin(float) (cmath:426) ==1821184== by 0x489A072: VMatrix::rotate(float, VMatrix::Axis) (vmatrix.cpp:252) ==1821184== by 0x48C968F: rlottie::internal::model::Transform::Data::matrix(int, bool) const (lottiemodel.cpp:197) ==1821184== by 0x48AE69D: rlottie::internal::model::Transform::matrix(int, bool) const (lottiemodel.h:618) ==1821184== by 0x48AE918: rlottie::internal::model::Layer::matrix(int) const (lottiemodel.h:700) ==1821184== by 0x48A7C3D: rlottie::internal::renderer::Layer::matrix(int) const (lottieitem.cpp:440) ==1821184== by 0x48A79D9: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:404) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== Uninitialised value was created by a stack allocation ... truncated because of GitHub limits ... ==1821184== Conditional jump or move depends on uninitialised value(s) ==1821184== at 0x489BB8C: VMatrix::fuzzyCompare(VMatrix const&) const (vmatrix.cpp:557) ==1821184== by 0x489BB2C: VMatrix::operator==(VMatrix const&) const (vmatrix.cpp:545) ==1821184== by 0x489BB56: VMatrix::operator!=(VMatrix const&) const (vmatrix.cpp:550) ==1821184== by 0x48A7A03: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:408) ==1821184== by 0x48A8DF4: rlottie::internal::renderer::CompLayer::updateContent() (lottieitem.cpp:653) ==1821184== by 0x48A7B60: rlottie::internal::renderer::Layer::update(int, VMatrix const&, float) (lottieitem.cpp:430) ==1821184== by 0x48A62F1: rlottie::internal::renderer::Composition::update(int, VSize const&, bool) (lottieitem.cpp:146) ==1821184== by 0x48F6E79: AnimationImpl::update(unsigned long, VSize const&, bool) (lottieanimation.cpp:105) ==1821184== by 0x48F6F90: AnimationImpl::render(unsigned long, rlottie::Surface const&, bool) (lottieanimation.cpp:118) ==1821184== by 0x48F7AF3: rlottie::Animation::renderSync(unsigned long, rlottie::Surface, bool) (lottieanimation.cpp:371) ==1821184== by 0x10F300: App::render(unsigned int, unsigned int) (lottie2gif.cpp:91) ==1821184== by 0x10EC34: main (lottie2gif.cpp:175) ==1821184== Generated GIF file : 001f.json.gif ==1821184== ==1821184== HEAP SUMMARY: ==1821184== in use at exit: 0 bytes in 0 blocks ==1821184== total heap usage: 47 allocs, 47 frees, 20,727,784 bytes allocated ==1821184== ==1821184== All heap blocks were freed -- no leaks are possible ==1821184== ==1821184== For lists of detected and suppressed errors, rerun with: -s ==1821184== ERROR SUMMARY: 28 errors from 28 contexts (suppressed: 0 from 0) ```

Case 2

Accessing elements of empty vector. 002f.json {"v":"0","op":1,"layers":[{"ty":4,"ks":{},"shapes":[{"ty":"gr","it":[{"ty":"sh","ks":{"k":[{}]}}]}],"op":1}]}

Click to see output (gdb ...) ``` mymedia@barberry:~/rlottie$ gdb -ex run -ex bt\ full -ex q --args build/example/lottie2gif fuzz/collect/002f.json Reading symbols from build/example/lottie2gif... Starting program: /home/mymedia/rlottie/build/example/lottie2gif fuzz/collect/002f.json [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. rlottie::internal::model::Property::value (this=0x555555573968, frameNo=0, path=...) at ./src/lottie/lottiemodel.h:343 343 if (vec.front().start_ >= frameNo) #0 rlottie::internal::model::Property::value (this=0x555555573968, frameNo=0, path=...) at ./src/lottie/lottiemodel.h:343 vec = std::vector of length 0, capacity 0 #1 0x00007ffff7f5e2dc in rlottie::internal::renderer::Path::updatePath (this=0x555555574360, path=..., frameNo=0) at ./src/lottie/lottieitem.cpp:1141 No locals. #2 0x00007ffff7f5ddab in rlottie::internal::renderer::Shape::update (this=0x555555574360, frameNo=0, flag=...) at ./src/lottie/lottieitem.cpp:1082 No locals. #3 0x00007ffff7f5d8c1 in rlottie::internal::renderer::Group::update (this=0x555555574300, frameNo=0, parentMatrix=..., parentAlpha=1, flag=...) at ./src/lottie/lottieitem.cpp:971 content = @0x5555555749d0: 0x555555574360 __for_range = std::vector of length 1, capacity 1 = {0x555555574360} __for_begin = 0x555555574360 __for_end = 0x7ffff7caccc0 newFlag = {i = 3} alpha = 1 #4 0x00007ffff7f5d8c1 in rlottie::internal::renderer::Group::update (this=0x5555555742a0, frameNo=0, parentMatrix=..., parentAlpha=1, flag=...) at ./src/lottie/lottieitem.cpp:971 content = @0x5555555749b0: 0x555555574300 __for_range = std::vector of length 1, capacity 1 = {0x555555574300} __for_begin = 0x555555574300 __for_end = 0x7ffff7caccc0 newFlag = {i = 3} alpha = 1 #5 0x00007ffff7f5cb3e in rlottie::internal::renderer::ShapeLayer::updateContent (this=0x555555574218) at ./src/lottie/lottieitem.cpp:839 No locals. #6 0x00007ffff7f5ab61 in rlottie::internal::renderer::Layer::update (this=0x555555574218, frameNumber=0, parentMatrix=..., parentAlpha=1) at ./src/lottie/lottieitem.cpp:430 alpha = 1 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} #7 0x00007ffff7f5bdf5 in rlottie::internal::renderer::CompLayer::updateContent (this=0x555555574190) at ./src/lottie/lottieitem.cpp:653 layer = @0x555555574990: 0x555555574218 __for_range = std::vector of length 1, capacity 1 = {0x555555574218} __for_begin = 0x555555574218 __for_end = 0x7ffff7cad290 mappedFrame = 0 alpha = 1 #8 0x00007ffff7f5ab61 in rlottie::internal::renderer::Layer::update (this=0x555555574190, frameNumber=0, parentMatrix=..., parentAlpha=1) at ./src/lottie/lottieitem.cpp:430 alpha = 1 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} #9 0x00007ffff7f592f2 in rlottie::internal::renderer::Composition::update (this=0x555555574070, frameNo=0, size=..., keepAspectRatio=true) at ./src/lottie/lottieitem.cpp:146 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} viewPort = {mw = 200, mh = 200} viewBox = {mw = 0, mh = 0} sx = inf sy = inf #10 0x00007ffff7fa9e7a in AnimationImpl::update (this=0x555555573500, frameNo=0, size=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:105 No locals. #11 0x00007ffff7fa9f91 in AnimationImpl::render (this=0x555555573500, frameNo=0, surface=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:118 renderInProgress = false #12 0x00007ffff7faaaf4 in rlottie::Animation::renderSync (this=0x555555573550, frameNo=0, surface=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:371 No locals. #13 0x000055555555b301 in App::render (this=0x7fffffffd9c0, w=200, h=200) at ./example/lottie2gif.cpp:91 surface = {mBuffer = 0x7ffff7983010, mWidth = 200, mHeight = 200, mBytesPerLine = 800, mDrawArea = {x = 0, y = 0, w = 200, h = 200}} i = 0 player = std::unique_ptr = {get() = {}} buffer = std::unique_ptr = {get() = {}} frameCount = 1 builder = {handle = {f = 0x555555573320, oldImage = 0x7ffff795b010 "", firstFrame = true}, bgColorR = 255 '\377', bgColorG = 255 '\377', bgColorB = 255 '\377'} #14 0x000055555555ac35 in main (argc=2, argv=0x7fffffffdb48) at ./example/lottie2gif.cpp:175 app = {bgColor = -1, fileName = "/home/mymedia/rlottie/fuzz/collect/002f.json", gifName = "002f.json.gif"} w = 200 h = 200 #15 0x00007ffff7ac1fd0 in __libc_start_call_main (main=main@entry=0x55555555abbe , argc=argc@entry=2, argv=argv@entry=0x7fffffffdb48) at ../sysdeps/nptl/libc_start_call_main.h:58 self = result = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, -5304380250038046668, 140737488345928, 93824992259006, 0, 140737354120256, 5304380248853737524, 5304361971744665652}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x10000ffff, 0x7fffffffdac0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 65535}}} not_first_call = #16 0x00007ffff7ac207d in __libc_start_main_impl (main=0x55555555abbe , argc=2, argv=0x7fffffffdb48, init=, fini=, rtld_fini=, stack_end=0x7fffffffdb38) at ../csu/libc-start.c:409 No locals. #17 0x00005555555585a5 in _start () No symbol table info available. ```

Cases 3, 4, 5

Stack overflow on cyclic structures. 009f.json {"v":"0","assets":[{"id":"a","layers":[{"ks":{},"ty":0,"refId":"a"}]}],"layers":[{"ks":{},"ty":0,"refId":"a"}]} 010f.json {"v":"0","assets":[{"id":"b","layers":[{"ks":{},"ty":0,"refId":"b"}]}],"layers":[{"ks":{}},{"ks":{},"ty":0,"refId":"b"}]} 011f.json {"v":"0","assets":[{"id":"c","layers":[{"ks":{},"ty":0,"refId":"c"}]}],"layers":[{"ks":{},"ty":0,"refId":"c"},{"ks":{},"ty":0,"refId":""}]} (Sorry for gaps between file numbers. I tried to minimize other samples but they seem irrelevant).

Click to see output (gdb ...) ``` mymedia@barberry:~/rlottie$ gdb -ex run -ex bt\ full\ -20 -ex q --args build/example/lottie2gif fuzz/collect/009f.json Reading symbols from build/example/lottie2gif... Starting program: /home/mymedia/rlottie/build/example/lottie2gif fuzz/collect/009f.json [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f7ea48 in std::vector >::end (this=) at /usr/include/c++/11/bits/stl_vector.h:829 829 end() _GLIBCXX_NOEXCEPT #104755 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:85 No locals. #104756 0x00007ffff7f7e0e7 in LottieRepeaterProcesser::visitChildren (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:76 child = 0x5555555737e8 i = {> = {}, current = 0x7ffff7caccc0 } #104757 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:85 No locals. #104758 0x00007ffff7f7e0e7 in LottieRepeaterProcesser::visitChildren (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:76 child = 0x5555555737e8 i = {> = {}, current = 0x7ffff7caccc0 } #104759 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:85 No locals. #104760 0x00007ffff7f7e0e7 in LottieRepeaterProcesser::visitChildren (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:76 child = 0x5555555737e8 i = {> = {}, current = 0x7ffff7caccc0 } #104761 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x5555555737e8) at ./src/lottie/lottiemodel.cpp:85 No locals. #104762 0x00007ffff7f7e0e7 in LottieRepeaterProcesser::visitChildren (this=0x7fffffffd317, obj=0x555555573970) at ./src/lottie/lottiemodel.cpp:76 child = 0x5555555737e8 i = {> = {}, current = 0x7ffff7caccc0 } #104763 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x555555573970) at ./src/lottie/lottiemodel.cpp:85 No locals. #104764 0x00007ffff7f7e0e7 in LottieRepeaterProcesser::visitChildren (this=0x7fffffffd317, obj=0x555555573900) at ./src/lottie/lottiemodel.cpp:76 child = 0x555555573970 i = {> = {}, current = 0x0} #104765 0x00007ffff7f7e180 in LottieRepeaterProcesser::visit (this=0x7fffffffd317, obj=0x555555573900) at ./src/lottie/lottiemodel.cpp:85 No locals. #104766 0x00007ffff7f7bff4 in rlottie::internal::model::Composition::processRepeaterObjects (this=0x555555573690) at ./src/lottie/lottiemodel.cpp:152 visitor = {} #104767 0x00007ffff7f8a8d5 in rlottie::internal::model::parse(char*, std::__cxx11::basic_string, std::allocator >, std::function) (str=0x555555575510 "{\"v", dir_path="", filter=...) at ./src/lottie/lottieparser.cpp:2378 composition = std::shared_ptr (use count 2, weak count 0) = {get() = 0x555555573690} obj = { = {v_ = {data_ = {s = {length = 1, hashcode = 0, str = 0x40555555557557a }, ss = {str = "\001\000\000\000\000\000\000\000zUWUUU"}, n = {i = {i = 1, padding = "\000\000\000"}, u = {u = 1, padding2 = "\000\000\000"}, i64 = 1, u64 = 1, d = 4.9406564584124654e-324}, o = {size = 1, capacity = 0, members = 0x40555555557557a}, a = {size = 1, capacity = 0, elements = 0x40555555557557a}, f = {payload = "\001\000\000\000\000\000\000\000zUWUUU", flags = 1029}}}, st_ = LookaheadParserHandler::kExitingObject, r_ = {static kDefaultStackCapacity = 256, stack_ = {allocator_ = 0x555555573550, ownAllocator_ = 0x555555573550, stack_ = 0x555555573570 "\002", stackTop_ = 0x555555573570 "\002", stackEnd_ = 0x555555573670 "", initialCapacity_ = 256}, parseResult_ = {code_ = rapidjson::kParseErrorNone, offset_ = 0}, state_ = rapidjson::GenericReader, rapidjson::UTF8, rapidjson::CrtAllocator>::IterativeParsingFinishState}, ss_ = {src_ = 0x555555575580 "", dst_ = 0x55555557557c "}]}\n", head_ = 0x555555575510 "{\"v"}, static parseFlags = 1}, mColorFilter = {> = {}, = {static _M_max_size = 16, static _M_max_align = 8, _M_functor = {_M_unused = {_M_object = 0x0, _M_const_object = 0x0, _M_function_pointer = 0x0, _M_member_pointer = NULL}, _M_pod_data = '\000' }, _M_manager = 0x0}, _M_invoker = 0x0}, mPathInfo = {mInPoint = std::vector of length 0, capacity 0, mOutPoint = std::vector of length 0, capacity 0, mVertices = std::vector of length 0, capacity 0, mResult = std::vector of length 0, capacity 0, mClosed = false}, mInterpolatorCache = std::unordered_map with 0 elements, mComposition = std::shared_ptr (use count 2, weak count 0) = {get() = 0x555555573690}, compRef = 0x555555573690, curLayerRef = 0x555555573970, mLayersToUpdate = std::vector of length 2, capacity 2 = {0x5555555737e8, 0x555555573970}, mDirPath = "/home/mymedia/rlottie/fuzz/collect/"} #104768 0x00007ffff7f7b877 in rlottie::internal::model::loadFromFile (path="/home/mymedia/rlottie/fuzz/collect/009f.json", cachePolicy=true) at ./src/lottie/lottieloader.cpp:139 content = "{\"v\000:\"0\000,\"assets\000:[{\"id\000:\"a\000,\"layers\000:[{\"ks\000:{},\"ty\000:0,\"refId\000:\"a\000}]}],\"layers\000:[{\"ks\000:{},\"ty\000:0,\"refId\000:\"a\000}]}\n" obj = std::shared_ptr (empty) = {get() = 0x0} f = #104769 0x00007ffff7faa776 in rlottie::Animation::loadFromFile (path="/home/mymedia/rlottie/fuzz/collect/009f.json", cachePolicy=true) at ./src/lottie/lottieanimation.cpp:319 composition = std::shared_ptr (empty) = {get() = 0x0} #104770 0x000055555555b150 in App::render (this=0x7fffffffd9c0, w=200, h=200) at ./example/lottie2gif.cpp:82 player = std::unique_ptr = {get() = {}} buffer = std::unique_ptr = {get() = {}} frameCount = 140737353009600 builder = {handle = {f = 0x7ffff7eeca60, oldImage = 0x7ffff7eedb00 "@\327\356\367\377\177", firstFrame = 176}, bgColorR = 32 ' ', bgColorG = 6 '\006', bgColorB = 252 '\374'} #104771 0x000055555555ac35 in main (argc=2, argv=0x7fffffffdb48) at ./example/lottie2gif.cpp:175 app = {bgColor = -1, fileName = "/home/mymedia/rlottie/fuzz/collect/009f.json", gifName = "009f.json.gif"} w = 200 h = 200 #104772 0x00007ffff7ac1fd0 in __libc_start_call_main (main=main@entry=0x55555555abbe , argc=argc@entry=2, argv=argv@entry=0x7fffffffdb48) at ../sysdeps/nptl/libc_start_call_main.h:58 self = result = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 2290260297761485036, 140737488345928, 93824992259006, 0, 140737354120256, -2290260296781729556, -2290277483006856980}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x10000ffff, 0x7fffffffdac0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 65535}}} not_first_call = #104773 0x00007ffff7ac207d in __libc_start_main_impl (main=0x55555555abbe , argc=2, argv=0x7fffffffdb48, init=, fini=, rtld_fini=, stack_end=0x7fffffffdb38) at ../csu/libc-start.c:409 No locals. #104774 0x00005555555585a5 in _start () No symbol table info available. ```

Case 6

Stack overflow at VBezier::length(). 013f.json {"v":"0","op":9,"layers":[{"ty":4,"ks":{},"shapes":[{"ty":"gr","it":[{"ty":"sh","ks":{"k":{"i":[[],[]],"o":[[0,2000000000],[]],"v":[[],[1200000]]}}}]},{"ty":"tm","s":{"k":[{"i":{},"s":[100]},{"t":9}]}}],"op":9}]}

Click to see output (gdb ...) ``` mymedia@barberry:~/rlottie$ gdb -ex run -ex bt\ full\ -40 -ex q --args build/example/lottie2gif fuzz/collect/013f.json Reading symbols from build/example/lottie2gif... Starting program: /home/mymedia/rlottie/build/example/lottie2gif fuzz/collect/013f.json [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f51a94 in VBezier::split (this=, firstHalf=, secondHalf=) at ./src/vector/vbezier.h:117 117 { #37396 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc240) at ./src/vector/vbezier.cpp:55 left = {x1 = 311053.438, y1 = 888888832, x2 = 311054.688, y2 = 888888832, x3 = 311055.938, y3 = 888888832, x4 = 311057.188, y4 = 888888832} right = {x1 = 311057.188, y1 = 888888832, x2 = 311058.438, y2 = 888888832, x3 = 311059.688, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 69.96875 chord = 66.8242188 #37397 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc320) at ./src/vector/vbezier.cpp:55 left = {x1 = 311045.938, y1 = 888888832, x2 = 311048.438, y2 = 888888832, x3 = 311050.938, y3 = 888888832, x4 = 311053.438, y4 = 888888832} right = {x1 = 311053.438, y1 = 888888832, x2 = 311055.938, y2 = 888888832, x3 = 311058.438, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 75.90625 chord = 69.6367188 #37398 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc400) at ./src/vector/vbezier.cpp:55 left = {x1 = 311030.938, y1 = 888888832, x2 = 311035.938, y2 = 888888832, x3 = 311040.938, y3 = 888888832, x4 = 311045.938, y4 = 888888832} right = {x1 = 311045.938, y1 = 888888832, x2 = 311050.938, y2 = 888888832, x3 = 311055.938, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 87.78125 chord = 75.2617188 #37399 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc4e0) at ./src/vector/vbezier.cpp:55 left = {x1 = 311000.906, y1 = 888888832, x2 = 311010.938, y2 = 888888832, x3 = 311020.938, y3 = 888888832, x4 = 311030.938, y4 = 888888832} right = {x1 = 311030.938, y1 = 888888832, x2 = 311040.938, y2 = 888888832, x3 = 311050.938, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 111.5625 chord = 86.5234375 #37400 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc5c0) at ./src/vector/vbezier.cpp:55 left = {x1 = 310940.812, y1 = 888888832, x2 = 310960.844, y2 = 888888832, x3 = 310980.875, y3 = 888888832, x4 = 311000.906, y4 = 888888832} right = {x1 = 311000.906, y1 = 888888832, x2 = 311020.938, y2 = 888888832, x3 = 311040.938, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 159.117188 chord = 144.15625 #37401 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc680) at ./src/vector/vbezier.cpp:55 left = {x1 = 310820.688, y1 = 888888704, x2 = 310860.75, y2 = 888888768, x3 = 310900.781, y3 = 888888832, x4 = 310940.812, y4 = 888888832} right = {x1 = 310940.812, y1 = 888888832, x2 = 310980.875, y2 = 888888832, x3 = 311020.938, y3 = 888888896, x4 = 311060.969, y4 = 888888896} len = 342.222656 chord = 312.28125 #37402 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffc780) at ./src/vector/vbezier.cpp:55 left = {x1 = 310820.688, y1 = 888888704, x2 = 310900.781, y2 = 888888832, x3 = 310980.875, y3 = 888888896, x4 = 311060.969, y4 = 888888896} right = {x1 = 311060.969, y1 = 888888896, x2 = 311141.062, y2 = 888888896, x3 = 311221.188, y3 = 888888832, x4 = 311301.312, y4 = 888888768} len = 688.351562 chord = 504.625 #37403 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffc840) at ./src/vector/vbezier.cpp:55 left = {x1 = 310340.281, y1 = 888887488, x2 = 310500.375, y2 = 888888064, x3 = 310660.531, y3 = 888888448, x4 = 310820.688, y4 = 888888704} right = {x1 = 310820.688, y1 = 888888704, x2 = 310980.875, y2 = 888888896, x3 = 311141.062, y3 = 888888960, x4 = 311301.312, y4 = 888888768} len = 2280.67969 chord = 1640.38672 #37404 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffc940) at ./src/vector/vbezier.cpp:55 left = {x1 = 310340.281, y1 = 888887488, x2 = 310660.5, y2 = 888888640, x3 = 310980.844, y3 = 888889088, x4 = 311301.312, y4 = 888888768} right = {x1 = 311301.312, y1 = 888888768, x2 = 311621.812, y2 = 888888448, x3 = 311942.469, y3 = 888887488, x4 = 312263.25, y4 = 888885760} len = 7097.73828 chord = 2570.96875 #37405 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffca00) at ./src/vector/vbezier.cpp:55 left = {x1 = 308420.844, y1 = 888871872, x2 = 309060.062, y2 = 888880000, x3 = 309699.875, y3 = 888885184, x4 = 310340.281, y4 = 888887488} right = {x1 = 310340.281, y1 = 888887488, x2 = 310980.688, y2 = 888889792, x3 = 311621.688, y3 = 888889216, x4 = 312263.25, y4 = 888885760} len = 29152.9023 chord = 15328.9023 #37406 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffcb00) at ./src/vector/vbezier.cpp:55 left = {x1 = 308420.844, y1 = 888871872, x2 = 309699.312, y2 = 888888064, x3 = 310980.125, y3 = 888892672, x4 = 312263.25, y4 = 888885760} right = {x1 = 312263.25, y1 = 888885760, x2 = 313546.375, y2 = 888878912, x3 = 314831.781, y3 = 888860480, x4 = 316119.469, y4 = 888830592} len = 109062.984 chord = 44166.9844 #37407 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffcbc0) at ./src/vector/vbezier.cpp:55 left = {x1 = 300778.188, y1 = 888634496, x2 = 303316.219, y2 = 888760512, x3 = 305863.875, y3 = 888839424, x4 = 308420.844, y4 = 888871872} right = {x1 = 308420.844, y1 = 888871872, x2 = 310977.812, y2 = 888904320, x3 = 313544.094, y3 = 888890368, x4 = 316119.469, y4 = 888830592} len = 440825 chord = 201848.984 #37408 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffccc0) at ./src/vector/vbezier.cpp:55 left = {x1 = 300778.188, y1 = 888634496, x2 = 305854.25, y2 = 888886528, x3 = 310968.719, y3 = 888950080, x4 = 316119.469, y4 = 888830592} right = {x1 = 316119.469, y1 = 888830592, x2 = 321270.219, y2 = 888711040, x3 = 326457.25, y3 = 888408448, x4 = 331678.406, y4 = 887928064} len = 1726019.62 chord = 718019.562 #37409 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffcd80) at ./src/vector/vbezier.cpp:55 left = {x1 = 270799.688, y1 = 884818944, x2 = 280627.531, y2 = 886872896, x3 = 290626.062, y3 = 888130560, x4 = 300778.188, y4 = 888634496} right = {x1 = 300778.188, y1 = 888634496, x2 = 310930.312, y2 = 889138496, x3 = 321236.094, y3 = 888888832, x4 = 331678.406, y4 = 887928064} len = 6974894 chord = 3131949.5 #37410 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffce60) at ./src/vector/vbezier.cpp:55 left = {x1 = 270799.688, y1 = 884818944, x2 = 290455.375, y2 = 888926848, x3 = 310793.781, y3 = 889849536, x4 = 331678.406, y4 = 887928064} right = {x1 = 331678.406, y1 = 887928064, x2 = 352563.031, y2 = 886006592, x3 = 373993.875, y3 = 881240960, x4 = 395834.5, y4 = 873972288} len = 27325288 chord = 10893544 #37411 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffcf40) at ./src/vector/vbezier.cpp:55 left = {x1 = 270799.688, y1 = 884818944, x2 = 310111.094, y2 = 893034816, x3 = 352153.25, y3 = 888509568, x4 = 395834.5, y4 = 873972288} right = {x1 = 395834.5, y1 = 873972288, x2 = 439515.781, y2 = 859435008, x3 = 484836.188, y3 = 834885568, x4 = 530704.125, y4 = 803053056} len = 114726840 chord = 81863352 #37412 0x00007ffff7f51072 in VBezier::length (this=0x7fffffffd040) at ./src/vector/vbezier.cpp:55 left = {x1 = 270799.688, y1 = 884818944, x2 = 349422.5, y2 = 901250688, x3 = 438968.25, y3 = 866718080, x4 = 530704.125, y4 = 803053056} right = {x1 = 530704.125, y1 = 803053056, x2 = 622440, y2 = 739387968, x3 = 716366, y3 = 646590528, x4 = 803749.375, y4 = 546492672} len = 404253088 chord = 338526144 #37413 0x00007ffff7f51086 in VBezier::length (this=0x7fffffffd0d0) at ./src/vector/vbezier.cpp:55 left = {x1 = 0, y1 = 0, x2 = 0, y2 = 615234368, x3 = 113554, y3 = 851955456, x4 = 270799.688, y4 = 884818944} right = {x1 = 270799.688, y1 = 884818944, x2 = 428045.344, y2 = 917682432, x3 = 628982.688, y3 = 746688384, x4 = 803749.375, y4 = 546492672} len = 1.91474611e+09 chord = 546794048 #37414 0x00007ffff7f512e2 in VBezier::tAtLength (this=0x7fffffffd1d0, l=1.58064678e+09, totalLength=1.77822771e+09) at ./src/vector/vbezier.cpp:88 right = {x1 = 803749.375, y1 = 546492672, x2 = 1022346.5, y2 = 296089184, x3 = 1200000, y3 = 0, x4 = 1200000, y4 = 0} left = {x1 = 0, y1 = 0, x2 = 0, y2 = 1.23046874e+09, x3 = 454216, y3 = 946884160, x4 = 803749.375, y4 = 546492672} lLen = 921744320 num = 8 t = 0.615234375 error = 0.00999999978 lastBigger = 0.8203125 #37415 0x00007ffff7f517e4 in VBezier::tAtLength (this=0x7fffffffd1d0, len=1.58064678e+09) at ./src/vector/vbezier.h:42 No locals. #37416 0x00007ffff7f5140a in VBezier::splitAtLength (this=0x7fffffffd1f0, len=1.58064678e+09, left=0x7fffffffd1b0, right=0x7fffffffd1d0) at ./src/vector/vbezier.cpp:107 t = 3802.08179 #37417 0x00007ffff7f2d843 in VDasher::cubicTo (this=0x7fffffffd320, cp1=..., cp2=..., e=...) at ./src/vector/vdasher.cpp:172 left = {x1 = -nan(0x7fd1d0), y1 = 4.59163468e-41, x2 = -9.85034955e+33, y2 = 4.59163468e-41, x3 = -nan(0x7fd200), y3 = 4.59163468e-41, x4 = -nan(0x7fd320), y4 = 4.59163468e-41} right = {x1 = 0, y1 = 0, x2 = 0, y2 = 2e+09, x3 = 1200000, y3 = 0, x4 = 1200000, y4 = 0} b = {x1 = 0, y1 = 0, x2 = 0, y2 = 2e+09, x3 = 1200000, y3 = 0, x4 = 1200000, y4 = 0} bezLen = 197580928 #37418 0x00007ffff7f2db7b in VDasher::dashHelper (this=0x7fffffffd320, path=..., result=...) at ./src/vector/vdasher.cpp:212 i = @0x555555574b51: VPath::Element::CubicTo __for_range = std::vector of length 2, capacity 3 = {VPath::Element::MoveTo, VPath::Element::CubicTo} __for_begin = VPath::Element::CubicTo __for_end = 85 elms = std::vector of length 2, capacity 3 = {VPath::Element::MoveTo, VPath::Element::CubicTo} pts = std::vector of length 4, capacity 5 = {{mx = 0, my = 0}, {mx = 0, my = 2e+09}, {mx = 1200000, my = 0}, {mx = 1200000, my = 0}} ptPtr = 0x555555574098 #37419 0x00007ffff7f2dc90 in VDasher::dashed (this=0x7fffffffd320, path=..., result=...) at ./src/vector/vdasher.cpp:236 No locals. #37420 0x00007ffff7f4c321 in VPathMesure::trim (this=0x5555555744f8, path=...) at ./src/vector/vpathmesure.cpp:53 array = {0, 0, 1.58064678e+09, 3.40282347e+38} dasher = {mDashArray = 0x7fffffffd360, mArraySize = 2, mCurPt = {mx = 0, my = 0}, mIndex = 1, mCurrentLength = 1.58064678e+09, mDashOffset = 0, mResult = 0x555555574500, mDiscard = false, mStartNewSegment = true, mNoLength = false, mNoGap = false} length = 1.77822771e+09 #37421 0x00007ffff7f5f77a in rlottie::internal::renderer::Trim::update (this=0x5555555744c0) at ./src/lottie/lottieitem.cpp:1386 i = @0x555555574b70: 0x555555574578 __for_range = std::vector of length 1, capacity 1 = {0x555555574578} __for_begin = 0x555555574578 __for_end = 0x7ffff7caccc0 #37422 0x00007ffff7f5d978 in rlottie::internal::renderer::Group::applyTrim (this=0x555555574460) at ./src/lottie/lottieitem.cpp:981 content = 0x5555555744c0 i = {> = {}, current = 0x555555574518} #37423 0x00007ffff7f5cb62 in rlottie::internal::renderer::ShapeLayer::updateContent (this=0x5555555743d8) at ./src/lottie/lottieitem.cpp:842 No locals. #37424 0x00007ffff7f5ab61 in rlottie::internal::renderer::Layer::update (this=0x5555555743d8, frameNumber=1, parentMatrix=..., parentAlpha=1) at ./src/lottie/lottieitem.cpp:430 alpha = 1 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} #37425 0x00007ffff7f5bdf5 in rlottie::internal::renderer::CompLayer::updateContent (this=0x555555574350) at ./src/lottie/lottieitem.cpp:653 layer = @0x555555574010: 0x5555555743d8 __for_range = std::vector of length 1, capacity 1 = {0x5555555743d8} __for_begin = 0x5555555743d8 __for_end = 0x0 mappedFrame = 1 alpha = 1 #37426 0x00007ffff7f5ab61 in rlottie::internal::renderer::Layer::update (this=0x555555574350, frameNumber=1, parentMatrix=..., parentAlpha=1) at ./src/lottie/lottieitem.cpp:430 alpha = 1 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} #37427 0x00007ffff7f592f2 in rlottie::internal::renderer::Composition::update (this=0x555555574230, frameNo=1, size=..., keepAspectRatio=true) at ./src/lottie/lottieitem.cpp:146 m = {m11 = inf, m12 = 0, m13 = 0, m21 = 0, m22 = inf, m23 = 0, mtx = -nan(0x400000), mty = -nan(0x400000), m33 = 1, mType = VMatrix::MatrixType::Scale, dirty = VMatrix::MatrixType::None} viewPort = {mw = 200, mh = 200} viewBox = {mw = 0, mh = 0} sx = inf sy = inf #37428 0x00007ffff7fa9e7a in AnimationImpl::update (this=0x555555573500, frameNo=1, size=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:105 No locals. #37429 0x00007ffff7fa9f91 in AnimationImpl::render (this=0x555555573500, frameNo=1, surface=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:118 renderInProgress = false #37430 0x00007ffff7faaaf4 in rlottie::Animation::renderSync (this=0x555555573550, frameNo=1, surface=..., keepAspectRatio=true) at ./src/lottie/lottieanimation.cpp:371 No locals. #37431 0x000055555555b301 in App::render (this=0x7fffffffd9c0, w=200, h=200) at ./example/lottie2gif.cpp:91 surface = {mBuffer = 0x7ffff7983010, mWidth = 200, mHeight = 200, mBytesPerLine = 800, mDrawArea = {x = 0, y = 0, w = 200, h = 200}} i = 1 player = std::unique_ptr = {get() = {}} buffer = std::unique_ptr = {get() = {}} frameCount = 9 builder = {handle = {f = 0x555555573320, oldImage = 0x7ffff795b010 '\377' ..., firstFrame = false}, bgColorR = 255 '\377', bgColorG = 255 '\377', bgColorB = 255 '\377'} #37432 0x000055555555ac35 in main (argc=2, argv=0x7fffffffdb48) at ./example/lottie2gif.cpp:175 app = {bgColor = -1, fileName = "/home/mymedia/rlottie/fuzz/collect/013f.json", gifName = "013f.json.gif"} w = 200 h = 200 #37433 0x00007ffff7ac1fd0 in __libc_start_call_main (main=main@entry=0x55555555abbe , argc=argc@entry=2, argv=argv@entry=0x7fffffffdb48) at ../sysdeps/nptl/libc_start_call_main.h:58 self = result = unwind_buf = {cancel_jmp_buf = {{jmp_buf = {0, 2056828669123042546, 140737488345928, 93824992259006, 0, 140737354120256, -2056828667890295566, -2056810639910298382}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x10000ffff, 0x7fffffffdac0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 65535}}} not_first_call = #37434 0x00007ffff7ac207d in __libc_start_main_impl (main=0x55555555abbe , argc=2, argv=0x7fffffffdb48, init=, fini=, rtld_fini=, stack_end=0x7fffffffdb38) at ../csu/libc-start.c:409 No locals. #37435 0x00005555555585a5 in _start () No symbol table info available. ```
mymedia2 commented 2 years ago

Fuzz testing is being in progress, and I found three new JSONs that broke rLottie.

Cases 7, 8

Assertion failures in ft_stroke_border_export and model::Trim::(no)?loop and then stack buffer overflow if the NDEBUG macro is defined.

014f.json {"v":"0","op":5,"h":3,"layers":[{"ty":4,"ks":{},"shapes":[{"ty":"sr","pt":{"k":[{"i":{},"e":[10000]}]},"or":{"k":[{"i":{},"s":[1]},{"t":4}]},"os":{"k":[{"i":{},"s":[5]},{"t":4}]}},{"ty":"st","w":{"k":2}}],"op":5}]} 016f.json {"v":"0","op":9,"layers":[{"ty":4,"ks":{},"shapes":[{"ty":"tm","s":{"k":[{"i":{},"o":{"y":[9]},"s":[1]},{"t":9}]},"o":{"k":5}}],"op":9}]}

Click to see output (lottie2gif ...) ``` mymedia@barberry:~/rlottie$ build/example/lottie2gif fuzz/collect/014f.json lottie2gif: /home/mymedia/rlottie/src/vector/freetype/v_ft_stroker.cpp:666: void ft_stroke_border_export(SW_FT_StrokeBorder, SW_FT_Outline*): Assertion `SW_FT_Outline_Check(outline) == 0' failed. Aborted mymedia@barberry:~/rlottie$ build/example/lottie2gif fuzz/collect/016f.json lottie2gif: /home/mymedia/rlottie/src/lottie/lottiemodel.h:1058: rlottie::internal::model::Trim::Segment rlottie::internal::model::Trim::noloop(float, float) const: Assertion `start >= 0' failed. Aborted ```

Case 9

Deadlock due to an unset guard flag in SharedRle.

017f.json {"v":"5.1.17","fr":30,"op":30,"w":300,"h":300,"layers":[{"op":30,"ty":4,"ks":{},"shapes":[{"ty":"rc","s":{"k":[{"i":{},"s":[1,1],"e":[111111]},{"t":3}]}},{"ty":"st","w":{"k":1},"d":[{"v":{"k":1}},{"v":{}}]}]}]}