Telegram implements video calling using bunch of sketchy C code same as WhatsApp and Signal. There's no reason to think it's less vulnerable these sort of bugs.
Sqlite has had multiple CVEs featuring use-after-free, heap overflows, usage of null pointers, use of uninitialized memory, and array bounds overflows. [1]