From 52afffaa15f9bf8f58982e12795113d4a5cab907 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <benh@debian.org>
Date: Mon, 26 Aug 2024 20:56:06 +0200
Subject: [PATCH] Mosaic: Fix buffer overflow in game_text_format()

The text format includes newline characters that weren't being
included in the buffer length calculation.  Fix the calculation and
assert before returning that the string offset matches the calculated
length.
---
 mosaic.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mosaic.c b/mosaic.c
index 05a339d..594039f 100644
--- a/mosaic.c
+++ b/mosaic.c
@@ -980,8 +980,8 @@ static bool game_can_format_as_text_now(const game_params *params)
 
 static char *game_text_format(const game_state *state)
 {
-    char *desc_string =
-        snewn((state->height * state->width) * 3 + 1, char);
+    size_t desc_len = state->height * (state->width * 3 + 1);
+    char *desc_string = snewn(desc_len + 1, char);
     int location_in_str = 0, x, y;
     for (y = 0; y < state->height; y++) {
         for (x = 0; x < state->width; x++) {
@@ -997,6 +997,7 @@ static char *game_text_format(const game_state *state)
         sprintf(desc_string + location_in_str, "\n");
         location_in_str += 1;
     }
+    assert(location_in_str == desc_len);
     return desc_string;
 }