From 09f067da20ccc8b37b7766832c220a8c8a7b8416 Mon Sep 17 00:00:00 2001
From: Jacek Jendrzej <overx300@gmail.com>
Date: Sat, 26 Mar 2022 17:17:14 +0100
Subject: [PATCH] tuxtxt: try to fix use sbit->buffer after free; test on
 Phoenix site 280

---
 lib/libtuxtxt/tuxtxt.cpp | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/lib/libtuxtxt/tuxtxt.cpp b/lib/libtuxtxt/tuxtxt.cpp
index d960fcb11..f26b23d30 100644
--- a/lib/libtuxtxt/tuxtxt.cpp
+++ b/lib/libtuxtxt/tuxtxt.cpp
@@ -4817,21 +4817,25 @@ void RenderChar(int Char, tstPageAttr *Attribute, int zoom, int yoffset)
 
 		if ((glyph = FT_Get_Char_Index(face, Char)))
 		{
+			sbitbuffer = (unsigned char*) localbuffer;
+			memmove(sbitbuffer,sbit->buffer,sbit->pitch*sbit->height);
+			int  height = sbit->height;
+			int  p = sbit->pitch;
 			if ((error = FTC_SBitCache_Lookup(cache, &typettf, glyph, &sbit_diacrit, NULL)) == 0)
-
 			{
-				sbitbuffer = (unsigned char*) localbuffer;
-				memmove(sbitbuffer,sbit->buffer,sbit->pitch*sbit->height);
-
-				for (Row = 0; Row < sbit->height; Row++)
+				for (Row = 0; Row < height; Row++)
 				{
-					for (Pitch = 0; Pitch < sbit->pitch; Pitch++)
+					for (Pitch = 0; Pitch < p; Pitch++)
 					{
 						if (sbit_diacrit->pitch > Pitch && sbit_diacrit->height > Row)
-							if((sbit_diacrit->pitch*sbit_diacrit->height) > (Row*sbit->pitch+Pitch))
-								sbitbuffer[Row*sbit->pitch+Pitch] |= sbit_diacrit->buffer[Row*sbit->pitch+Pitch];
+							if((sbit_diacrit->pitch*sbit_diacrit->height) > (Row*p+Pitch))
+								sbitbuffer[Row*p+Pitch] |= sbit_diacrit->buffer[Row*p+Pitch];
 					}
 				}
+				if ((error = FTC_SBitCache_Lookup(cache, &typettf, glyph, &sbit, NULL)) != 0)
+				{
+					return;
+				}
 			}
 		}
 	}