From 86e783e4fb9e6ccd65013966fe92d0f8a7d74a8f Mon Sep 17 00:00:00 2001
From: Vic Lee <llyzs@163.com>
Date: Tue, 3 Sep 2013 20:27:08 +0800
Subject: [PATCH] libfreerdp-codec/rfx: fix memory corruptions.

---
 include/freerdp/codec/rfx.h |  1 +
 libfreerdp/codec/rfx.c      | 12 ++++++++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/include/freerdp/codec/rfx.h b/include/freerdp/codec/rfx.h
index 254cadfb5..57f4fed44 100644
--- a/include/freerdp/codec/rfx.h
+++ b/include/freerdp/codec/rfx.h
@@ -55,6 +55,7 @@ struct _RFX_TILE
 	int height;
 	BYTE* data;
 	int scanline;
+	BOOL allocated;
 
 	BYTE quantIdxY;
 	BYTE quantIdxCb;
diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
index 5d6bbe7a1..0cbcbd0d8 100644
--- a/libfreerdp/codec/rfx.c
+++ b/libfreerdp/codec/rfx.c
@@ -164,6 +164,7 @@ RFX_TILE* rfx_tile_new()
 		ZeroMemory(tile, sizeof(RFX_TILE));
 
 		tile->data = (BYTE*) malloc(4096 * 4); /* 64x64 * 4 */
+		tile->allocated = TRUE;
 	}
 
 	return tile;
@@ -173,7 +174,8 @@ void rfx_tile_free(RFX_TILE* tile)
 {
 	if (tile)
 	{
-		free(tile->data);
+		if (tile->allocated)
+			free(tile->data);
 		free(tile);
 	}
 }
@@ -1065,7 +1067,8 @@ RFX_MESSAGE* rfx_encode_message(RFX_CONTEXT* context, const RFX_RECT* rects,
 	if (!context->numQuant)
 	{
 		context->numQuant = 1;
-		context->quants = (UINT32*) rfx_default_quantization_values;
+		context->quants = (UINT32*) malloc(sizeof(rfx_default_quantization_values));
+		memcpy(context->quants, rfx_default_quantization_values, sizeof(rfx_default_quantization_values));
 		context->quantIdxY = 0;
 		context->quantIdxCb = 0;
 		context->quantIdxCr = 0;
@@ -1111,6 +1114,11 @@ RFX_MESSAGE* rfx_encode_message(RFX_CONTEXT* context, const RFX_RECT* rects,
 
 			ax = rect->x + tile->x;
 			ay = rect->y + tile->y;
+			if (tile->data && tile->allocated)
+			{
+				free(tile->data);
+				tile->allocated = FALSE;
+			}
 			tile->data = &data[(ay * scanline) + (ax * BytesPerPixel)];
 
 			tile->quantIdxY = context->quantIdxY;