From a91eca44806d300f5eb81e88a61a0b7d4f1211ac Mon Sep 17 00:00:00 2001
From: Dorian Johnson <2012@dorianj.net>
Date: Wed, 23 May 2012 16:18:39 -0500
Subject: [PATCH] libfreerdp-codec: fix off-by-one memory corruption in ico
 parser

---
 libfreerdp-codec/color.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/libfreerdp-codec/color.c b/libfreerdp-codec/color.c
index 3cadc2876..bb8898ca8 100644
--- a/libfreerdp-codec/color.c
+++ b/libfreerdp-codec/color.c
@@ -822,7 +822,7 @@ uint8* freerdp_icon_convert(uint8* srcData, uint8* dstData, uint8* mask, int wid
 				
 				for (bit = 0; bit < 8; bit++)
 					if ((bmask & (0x80 >> bit)) == 0)
-						*(icon + (height - y) * width + x + bit) |= 0xFF000000;
+						*(icon + (height - y - 1) * width + x + bit) |= 0xFF000000;
 			}
 			
 			if ((width % 8) != 0)
@@ -831,7 +831,7 @@ uint8* freerdp_icon_convert(uint8* srcData, uint8* dstData, uint8* mask, int wid
 				
 				for (bit = 0; bit < width % 8; bit++)
 					if ((bmask & (0x80 >> bit)) == 0)
-						*(icon + (height - y) * width + x + bit) |= 0xFF000000;
+						*(icon + (height - y - 1) * width + x + bit) |= 0xFF000000;
 			}
 		
 			/* Skip padding */
@@ -840,8 +840,6 @@ uint8* freerdp_icon_convert(uint8* srcData, uint8* dstData, uint8* mask, int wid
 		}
 	}
 
-	free(mask);
-
 	return dstData;
 }