diff --git a/libfreerdp-cache/bitmap.c b/libfreerdp-cache/bitmap.c
index 99c100531..e3e2303fa 100644
--- a/libfreerdp-cache/bitmap.c
+++ b/libfreerdp-cache/bitmap.c
@@ -173,9 +173,10 @@ rdpBitmap* bitmap_cache_get(rdpBitmapCache* bitmap_cache, uint32 id, uint32 inde
 	}
 
 	if (index == BITMAP_CACHE_WAITING_LIST_INDEX)
-		index = bitmap_cache->cells[id].number - 1;
-
-	if (index > bitmap_cache->cells[id].number)
+	{
+		index = bitmap_cache->cells[id].number;
+	}
+	else if (index > bitmap_cache->cells[id].number)
 	{
 		printf("get invalid bitmap index %d in cell id: %d\n", index, id);
 		return NULL;
@@ -195,9 +196,10 @@ void bitmap_cache_put(rdpBitmapCache* bitmap_cache, uint32 id, uint32 index, rdp
 	}
 
 	if (index == BITMAP_CACHE_WAITING_LIST_INDEX)
-		index = bitmap_cache->cells[id].number - 1;
-
-	if (index > bitmap_cache->cells[id].number)
+	{
+		index = bitmap_cache->cells[id].number;
+	}
+	else if (index > bitmap_cache->cells[id].number)
 	{
 		printf("put invalid bitmap index %d in cell id: %d\n", index, id);
 		return;
@@ -255,7 +257,8 @@ rdpBitmapCache* bitmap_cache_new(rdpSettings* settings)
 		for (i = 0; i < (int) bitmap_cache->maxCells; i++)
 		{
 			bitmap_cache->cells[i].number = settings->bitmapCacheV2CellInfo[i].numEntries;
-			bitmap_cache->cells[i].entries = (rdpBitmap**) xzalloc(sizeof(rdpBitmap*) * bitmap_cache->cells[i].number);
+			/* allocate an extra entry for BITMAP_CACHE_WAITING_LIST_INDEX */
+			bitmap_cache->cells[i].entries = (rdpBitmap**) xzalloc(sizeof(rdpBitmap*) * bitmap_cache->cells[i].number + 1);
 		}
 	}
 
@@ -271,7 +274,7 @@ void bitmap_cache_free(rdpBitmapCache* bitmap_cache)
 	{
 		for (i = 0; i < (int) bitmap_cache->maxCells; i++)
 		{
-			for (j = 0; j < (int) bitmap_cache->cells[i].number; j++)
+			for (j = 0; j < (int) bitmap_cache->cells[i].number + 1; j++)
 			{
 				bitmap = bitmap_cache->cells[i].entries[j];