From ba5ad2e2f4dc49c305679435ba1f244e2ceb77a1 Mon Sep 17 00:00:00 2001
From: Martin Fleisz <martin.fleisz@thincast.com>
Date: Tue, 6 Mar 2018 15:34:55 +0100
Subject: [PATCH] codec: Prevent invalid mem access on realloc failure

---
 libfreerdp/codec/rfx.c | 34 ++++++++++++++++++----------------
 1 file changed, 18 insertions(+), 16 deletions(-)

diff --git a/libfreerdp/codec/rfx.c b/libfreerdp/codec/rfx.c
index 27b59db..cd0af77 100644
--- a/libfreerdp/codec/rfx.c
+++ b/libfreerdp/codec/rfx.c
@@ -1622,32 +1622,34 @@ skip_encoding_loop:
 	}
 
 	/* when using threads ensure all computations are done */
-	message->tilesDataSize = 0;
-	workObject = context->priv->workObjects;
-
-	for (i = 0; i < message->numTiles; i++)
+	if (success)
 	{
-		tile = message->tiles[i];
+		message->tilesDataSize = 0;
+		workObject = context->priv->workObjects;
 
-		if (context->priv->UseThreads)
+		for (i = 0; i < message->numTiles; i++)
 		{
-			if (*workObject)
+			tile = message->tiles[i];
+
+			if (context->priv->UseThreads)
 			{
-				WaitForThreadpoolWorkCallbacks(*workObject, FALSE);
-				CloseThreadpoolWork(*workObject);
+				if (*workObject)
+				{
+					WaitForThreadpoolWorkCallbacks(*workObject, FALSE);
+					CloseThreadpoolWork(*workObject);
+				}
+
+				workObject++;
 			}
 
-			workObject++;
+			message->tilesDataSize += rfx_tile_length(tile);
 		}
 
-		message->tilesDataSize += rfx_tile_length(tile);
-	}
+		region16_uninit(&tilesRegion);
+		region16_uninit(&rectsRegion);
 
-	region16_uninit(&tilesRegion);
-	region16_uninit(&rectsRegion);
-
-	if (success)
 		return message;
+	}
 
 	WLog_ERR(TAG, "%s: failed", __FUNCTION__);
 	message->freeRects = TRUE;
-- 
2.7.4