src/vector/stb/stb_image.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 fix path to stb header

src/lottie/lottieparser.cpp | 70 66 + 4 - 0 !
1 file changed, 66 insertions(+), 4 deletions(-)

 reimplement iterativeparseinit and iterativeparsenext
 In order to use the old rapidjson v1.1.0, we have to implement IterativeReader
 class by ourselves.

inc/rlottie.h | 30 30 + 0 - 0 !
src/binding/c/lottieanimation_capi.cpp | 4 2 + 2 - 0 !
src/lottie/lottieanimation.cpp | 13 13 + 0 - 0 !
src/lottie/lottieloader.cpp | 2 1 + 1 - 0 !
4 files changed, 46 insertions(+), 3 deletions(-)

 hacks for cache compatibility
 In order to provide backward compatibility with previous versions of the
 package available in Debian, the patch temporary reintroduces the loadFromFile
 and the loadFromData methods with old signature. These methods are intended for
 use by non-rebuilt binaries.
 .
 The modification turns caching off by default. If a client supports rlottie's
 cache, it may call configureModelCacheSize to inform the library.

CMakeLists.txt | 8 4 + 4 - 0 !
1 file changed, 4 insertions(+), 4 deletions(-)

 bump soversion number

src/lottie/lottieitem.cpp | 12 11 + 1 - 0 !
src/lottie/lottieitem.h | 1 1 + 0 - 0 !
2 files changed, 12 insertions(+), 1 deletion(-)

 check for layer parent-child links

src/vector/vrle.cpp | 45 31 + 14 - 0 !
1 file changed, 31 insertions(+), 14 deletions(-)

 check buffer length in vrle.
 Should fix CVE-2021-31315 related issues.

src/lottie/lottiemodel.h | 12 9 + 3 - 0 !
1 file changed, 9 insertions(+), 3 deletions(-)

 fix crash in malformed lottie animations.

src/lottie/lottieitem.cpp | 3 3 + 0 - 0 !
src/lottie/lottiemodel.cpp | 12 11 + 1 - 0 !
src/vector/vdrawhelper.cpp | 5 4 + 1 - 0 !
3 files changed, 18 insertions(+), 2 deletions(-)

 fix some crashes on invalid data.
 Should fix CVE-2021-31318, CVE-2021-31319, CVE-2021-31320, CVE-2021-31322.

src/vector/freetype/v_ft_raster.cpp | 19 19 + 0 - 0 !
1 file changed, 19 insertions(+)

 verify array length before writing in freetype
 An attempt to fix CVE-2021-31321 based on John Preston's commit.
 https://github.com/desktop-app/rlottie/commit/d369d84e868352886cee48eecb60b462f6dfe067

src/lottie/lottiemodel.h | 2 1 + 1 - 0 !
src/lottie/lottieparser.cpp | 20 12 + 8 - 0 !
2 files changed, 13 insertions(+), 9 deletions(-)

 fortify lottie parser

src/lottie/lottiemodel.cpp | 2 1 + 1 - 0 !
src/vector/vdrawable.cpp | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+), 1 deletion(-)

 an attempt to fix cve-2021-31317
 After conversation on GitHub PR, I've added check of data size in
 LOTDashProperty::getDashInfo method. However, a call to the push_back method
 remains, it should not hurt anything.

src/vector/vrle.cpp | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 explicitly include <limits> header.
Bug: https://github.com/Samsung/rlottie/pull/442
Bug-Debian: https://bugs.debian.org/984323

src/lottie/lottieparser.cpp | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 put zero point in case of corrupted shape data
 Upstream rlottie at the master branch seems to be not affected by the crash.
 They refactored the corresponding code.
Bug-Debian: https://bugs.debian.org/974095

src/lottie/lottiemodel.h | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 fix dereferencing of null pointer in model::layer::solidcolor() getter
 Also remove unnecessarily check of mExtra->mAsset in the asset() getter.