From cd29cc15781ec667c2dcac5a984654b9411a0182 Mon Sep 17 00:00:00 2001
From: holub <andrei.holub@gmail.com>
Date: Fri, 27 Dec 2024 13:43:54 -0500
Subject: [PATCH] sinclair/atm.cpp: fix MT08472 heap overflow/crash (#13123)

* MT08472: heap overflow
* fix palette range
---
 src/mame/sinclair/atm.cpp     | 4 ++--
 src/mame/sinclair/atm.h       | 2 +-
 src/mame/sinclair/pentevo.cpp | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/mame/sinclair/atm.cpp b/src/mame/sinclair/atm.cpp
index 7b37c488aa5..5df94a09d1e 100644
--- a/src/mame/sinclair/atm.cpp
+++ b/src/mame/sinclair/atm.cpp
@@ -95,7 +95,7 @@ void atm_state::atm_port_ff_w(offs_t offset, u8 data)
 	{
 		// Must read current ULA value (which is doesn't work now) from the BUS.
 		// Good enough as non-border case is too complicated and possibly no software uses it.
-		u8 pen = get_border_color(m_screen->hpos(), m_screen->vpos());
+		u8 pen = 0x0f & get_border_color(m_screen->hpos(), m_screen->vpos());
 		m_palette_data[pen] = data;
 		m_palette->set_pen_color(pen,
 			(BIT(~data, 1) * 0xaa) | (BIT(~data, 6) * 0x55),
@@ -440,12 +440,12 @@ void atm_state::machine_reset()
 	m_beta->enable();
 	m_beta_drive_selected = 0;
 
+	m_port_fe_data = -1;
 	m_port_7ffd_data = 0;
 	m_port_1ffd_data = -1;
 	m_port_77_data = 0;
 
 	m_br3 = 0;
-	m_palette_data = { 0xff };
 	atm_port_77_w(0x4000, 3); // m_port_77_data: CPM=0(on), PEN=0(off), PEN2=1(off); vmode: zx
 }
 
diff --git a/src/mame/sinclair/atm.h b/src/mame/sinclair/atm.h
index e6cbfeaaa2b..c04285a083a 100644
--- a/src/mame/sinclair/atm.h
+++ b/src/mame/sinclair/atm.h
@@ -102,7 +102,7 @@ protected:
 	bool m_pen2;          // palette selector
 	u8 m_rg = 0b011;      // 0:320x200lo, 2:640:200hi, 3:256x192zx, 6:80x25txt
 	u8 m_br3;
-	std::vector<u8> m_palette_data;
+	u8 m_palette_data[16];
 	u8 m_ata_data_latch;
 	u8 m_beta_drive_selected;
 };
diff --git a/src/mame/sinclair/pentevo.cpp b/src/mame/sinclair/pentevo.cpp
index 2a7896255e8..c1ac0017368 100644
--- a/src/mame/sinclair/pentevo.cpp
+++ b/src/mame/sinclair/pentevo.cpp
@@ -194,7 +194,7 @@ void pentevo_state::atm_port_ff_w(offs_t offset, u8 data)
 {
 	if (BIT(m_port_bf_data, 5) && !m_pen2)
 	{
-		u8 pen = get_border_color(m_screen->hpos(), m_screen->vpos());
+		u8 pen = 0x0f & get_border_color(m_screen->hpos(), m_screen->vpos());
 		m_palette_data[pen] = data;
 		m_palette->set_pen_color(pen,
 			(BIT(~data, 1) * 0x88) | (BIT(~data, 6) * 0x44) | (BIT(~offset,  9) * 0x22) | (BIT(~offset, 14) * 0x11),