From 09c2540e6b6bb7d2f0ae145100810bdeb8ddd991 Mon Sep 17 00:00:00 2001
From: William Kendrick <wkendrick@users.sourceforge.net>
Date: Tue, 5 Aug 2014 17:06:08 +0000
Subject: [PATCH] Unclear how mosaic_shaped is supposed to work, but added a
 counter to prevent recursing too deep, which will cause a crash.

---
 magic/src/mosaic_shaped.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/magic/src/mosaic_shaped.c b/magic/src/mosaic_shaped.c
index ad0fcf89d..249544f1c 100644
--- a/magic/src/mosaic_shaped.c
+++ b/magic/src/mosaic_shaped.c
@@ -534,6 +534,8 @@ void reset_counter(SDL_Surface * canvas, Uint8 * counter)
 }
 
 
+int scan_fill_count;
+
 int scan_fill(magic_api * api, SDL_Surface * canvas, SDL_Surface * srfc, int x, int y, int fill_edge, int fill_tile, int size, Uint32 color)
 {
     int leftx, rightx;
@@ -543,8 +545,17 @@ int scan_fill(magic_api * api, SDL_Surface * canvas, SDL_Surface * srfc, int x,
     leftx = x - 1;
     rightx = x + 1;
 
+    /* Abort, if we recurse too deep! -bjk 2014.08.05 */
+    scan_fill_count++;
+    if (scan_fill_count > 50000)
+    {
+        scan_fill_count--;
+        return (0);
+    }
+
     if (mosaic_shaped_counted[y * canvas->w + x] == 1)
     {
+        scan_fill_count--;
         return (0);
     }
 
@@ -555,6 +566,7 @@ int scan_fill(magic_api * api, SDL_Surface * canvas, SDL_Surface * srfc, int x,
             fill_square(api, canvas, x, y, size, color);
         }
 
+        scan_fill_count--;
         return (0); /* No need to check more */
     }
 
@@ -607,6 +619,7 @@ int scan_fill(magic_api * api, SDL_Surface * canvas, SDL_Surface * srfc, int x,
         }
     }
 
+    scan_fill_count--;
     return (1);
 }