From 7da46412223273b3adf6d513466342b9d3a5c869 Mon Sep 17 00:00:00 2001
From: Simon Tatham <anakin@pobox.com>
Date: Wed, 19 Feb 2025 08:28:48 +0000
Subject: [PATCH] Mosaic: fix one-byte-too-short buffer in solve_game().

Thanks to Jason Hood for the report. The crash is trivially reproduced
under Address Sanitizer if you set up the game id 15x15#12345 and then
use the Solve UI action.
---
 mosaic.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mosaic.c b/mosaic.c
index 594039f..f171cf6 100644
--- a/mosaic.c
+++ b/mosaic.c
@@ -951,7 +951,7 @@ static char *solve_game(const game_state *state,
         return NULL;
     }
 
-    ret = snewn((size / 4) + 3, char);
+    ret = snewn((size / 4) + 4, char);
 
     ret[0] = 's';
     i = 0;