From 5dc353808370b6489afef20e59f23742e9966e36 Mon Sep 17 00:00:00 2001
From: repojohnray <repojohnray@users.noreply.github.com>
Date: Thu, 14 Jul 2022 17:29:50 +0200
Subject: [PATCH] [Teletext] fix memory overflow

---
 xbmc/video/Teletext.cpp | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/xbmc/video/Teletext.cpp b/xbmc/video/Teletext.cpp
index b0959c7847996..e3301f79c9788 100644
--- a/xbmc/video/Teletext.cpp
+++ b/xbmc/video/Teletext.cpp
@@ -1229,8 +1229,9 @@ void CTeletextDecoder::RenderPage()
         m_RenderInfo.PageAtrb[32].fg = TXT_ColorYellow;
         m_RenderInfo.PageAtrb[32].bg = TXT_ColorMenu1;
         int showpage    = m_txtCache->PageReceiving;
-        int showsubpage = m_txtCache->SubPageTable[showpage];
-        if (showsubpage!=0xff)
+        int showsubpage;
+
+        if (showpage >= 0 && (showsubpage = m_txtCache->SubPageTable[showpage]) != 0xff)
         {
           TextCachedPage_t *pCachedPage;
           pCachedPage = m_txtCache->astCachetable[showpage][showsubpage];
@@ -1303,6 +1304,12 @@ void CTeletextDecoder::RenderPage()
 
 void CTeletextDecoder::DoFlashing(int startrow)
 {
+  TextCachedPage_t* textcachepage =
+      m_txtCache->astCachetable[m_txtCache->Page][m_txtCache->SubPage];
+
+  if (!textcachepage || m_RenderInfo.PageInfo != &textcachepage->pageinfo)
+    m_RenderInfo.PageInfo = nullptr;
+
   /* get national subset */
   if (m_txtCache->NationalSubset <= NAT_MAX_FROM_HEADER && /* not for GR/RU as long as line28 is not evaluated */
      m_RenderInfo.PageInfo && m_RenderInfo.PageInfo->nationalvalid) /* individual subset according to page header */
@@ -2255,7 +2262,11 @@ void CTeletextDecoder::RenderCharIntern(TextRenderInfo_t* RenderInfo, int Char,
 
   /* render char */
   sbitbuffer = m_sBit->buffer;
-  unsigned char localbuffer[1000]; // should be enough to store one character-bitmap...
+
+  std::vector<unsigned char> localbuffer;
+
+  localbuffer.resize((m_sBit->pitch + 1) * m_sBit->height);
+
   // add diacritical marks
   if (Attribute->diacrit)
   {
@@ -2275,15 +2286,17 @@ void CTeletextDecoder::RenderCharIntern(TextRenderInfo_t* RenderInfo, int Char,
     {
       if (FTC_SBitCache_Lookup(m_Cache, &m_TypeTTF, glyph, &sbit_diacrit, NULL) == 0)
       {
-        sbitbuffer = localbuffer;
+        const int sbitLen = sbit_diacrit->height * sbit_diacrit->pitch;
+        sbitbuffer = localbuffer.data();
         memcpy(sbitbuffer,m_sBit->buffer,m_sBit->pitch*m_sBit->height);
 
         for (Row = 0; Row < m_sBit->height; Row++)
         {
           for (Pitch = 0; Pitch < m_sBit->pitch; Pitch++)
           {
-            if (sbit_diacrit->pitch > Pitch && sbit_diacrit->height > Row)
-              sbitbuffer[Row*m_sBit->pitch+Pitch] |= sbit_diacrit->buffer[Row*m_sBit->pitch+Pitch];
+            const int offset = Row * m_sBit->pitch + Pitch;
+            if (sbit_diacrit->pitch > Pitch && sbit_diacrit->height > Row && offset < sbitLen)
+              sbitbuffer[offset] |= sbit_diacrit->buffer[offset];
           }
         }
       }