From 30942391f15e1d058943ebf614544e2ac03eef35 Mon Sep 17 00:00:00 2001
From: Joshua Rogers <MegaManSec@users.noreply.github.com>
Date: Fri, 5 Sep 2025 17:56:19 +0200
Subject: [PATCH] fix(path_fiddle): destroy scenes before artboards to avoid
 UAF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`clear_scenes()` previously cleared `artboards` before `scenes`.
Since `Scene` objects are constructed from `Artboard` instances and
may hold raw references back into them, this ordering risked
use-after-free during `Scene` destruction.

Reorder the clears to: scenes → artboards → viewModelInstances,
ensuring dependencies are released in safe order.
---
 renderer/path_fiddle/path_fiddle.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/renderer/path_fiddle/path_fiddle.cpp b/renderer/path_fiddle/path_fiddle.cpp
index 40d0aca77..0ffc21b1a 100644
--- a/renderer/path_fiddle/path_fiddle.cpp
+++ b/renderer/path_fiddle/path_fiddle.cpp
@@ -91,8 +91,8 @@ std::vector<rive::rcp<rive::ViewModelInstance>> viewModelInstances;
 
 static void clear_scenes()
 {
-    artboards.clear();
     scenes.clear();
+    artboards.clear();
     viewModelInstances.clear();
 }