Memory corruption on loading into Network match 2

[xezon]

Application Verifier is enabled with "Basics" enabled.
100% Crash on loading into Skirmish match with Mortal Temptation map.

Mortal Temptation ZH v1.zip

ZH CD version game.dat

>	KernelBase.dll!755bb512() 	
 	[Frames below may be incorrect and/or missing, no symbols loaded for KernelBase.dll]	
 	KernelBase.dll!755bb512() 	
 	KernelBase.dll!755d9d2a() 	
 	msvcrt.dll!7540a718() 	
 	atiumdag.dll!5f3458f4() 	
 	game.dat!00830997() 	
 	game.dat!0082f7dd() 	
 	game.dat!0081ad88() 	
 	game.dat!0081ac1c() 	
 	game.dat!00815aaa() 	
 	game.dat!00932aa9() 	
 	game.dat!00763e0b() 	
 	game.dat!008095ae() 	
 	game.dat!00740709() 	
 	game.dat!004140d8() 	
 	game.dat!006df73e() 	
 	game.dat!007cf97b() 	
 	game.dat!004fab69() 	
 	game.dat!004fabc1() 	
 	game.dat!004fac43() 	
 	game.dat!007a964d() 	
 	game.dat!0073e78d() 	
 	game.dat!0046fdab() 	
 	game.dat!00539dbb() 	
 	game.dat!004ad2e0() 	
 	game.dat!0040fcf4() 	
 	game.dat!00741c89() 	
 	game.dat!0040fdaa() 	
 	game.dat!00413866() 	
 	game.dat!00401c46() 	
 	verifier.dll!_AVrfpDphPostProcessing@4()  + 0x1a bytes	
 	verifier.dll!_AVrfpDphPlaceOnDelayFree@8()  + 0x258 bytes	
 	0019fbb8()	
 	ntdll.dll!773bfe30() 	
 	ntdll.dll!7737636b() 	
 	ntdll.dll!7732288a() 	
 	vfbasics.dll!_AVrfpSRWLockFreeMemoryChecks@16()  + 0xab bytes	
 	verifier.dll!_AVrfpDphFindBusyMemoryNoCheck@8()  + 0x4f bytes	
 	6172656e()	
 	ntdll.dll!773c05c8() 	
 	vfbasics.dll!_AVrfpFreeForOwnersTree@8()  + 0x3a bytes	
 	ntdll.dll!7737e4ac() 	
 	msvcrt.dll!754170f2() 	
 	msvcrt.dll!75436f95() 	
 	msvcrt.dll!754364f1() 	
 	msvcrt.dll!75426e3d() 	
 	msvcrt.dll!75426e23() 	
 	game.dat!008e0c57() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!00650052() 	
 	game.dat!00650052() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	
 	game.dat!005c0032() 	
 	game.dat!005c0032() 	
 	game.dat!006e0069() 	
 	game.dat!006e0069() 	

EAX = 0019F218 EBX = 0019F2E8 ECX = 00000003 EDX = 00000000 ESI = 753D3DA8 EDI = 0096C9C8 EIP = 755BB512 ESP = 0019F218 EBP = 0019F270 EFL = 00200216 

0019F26C = 0F285AE6 

755BB4E6  test        ecx,ecx 
755BB4E8  je          755BB523 
755BB4EA  mov         eax,dword ptr [ebp+10h] 
755BB4ED  cmp         eax,0Fh 
755BB4F0  ja          755BB52A 
755BB4F2  mov         dword ptr [esp+10h],eax 
755BB4F6  shl         eax,2 
755BB4F9  push        eax  
755BB4FA  push        ecx  
755BB4FB  lea         eax,[esp+1Ch] 
755BB4FF  push        eax  
755BB500  call        755C4E24 
755BB505  add         esp,0Ch 
755BB508  lea         eax,[esp] 
755BB50B  push        eax  
755BB50C  call        dword ptr ds:[7566C3FCh] 
755BB512  mov         ecx,dword ptr [esp+54h]  <------ crash here: indicates corrupted stack
755BB516  xor         ecx,esp 
755BB518  call        755C0340 
755BB51D  mov         esp,ebp 
755BB51F  pop         ebp  
755BB520  ret         10h  
755BB523  and         dword ptr [esp+10h],0 
755BB528  jmp         755BB508 
755BB52A  push        0Fh  
755BB52C  pop         eax  
755BB52D  jmp         755BB4F2 
755BB52F  int         3    
755BB530  int         3    
755BB531  int         3    
755BB532  int         3    
755BB533  int         3    
755BB534  int         3    
755BB535  int         3    

[tomsons26]

007cf97b W3DGameWinDefaultDraw calls 006DF710 GameWindowManager::winDrawImage and thats where it goes wrong.
Likely same issue as #92