https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111960
--- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> --- So, I believe the really problematic change was r14-2389-g3cce8d98f270f48f which introduced at least in theory the buffer overflow, before that the maximum string length no matter what m_val was was 62 chars. Now, I wonder what is the reason to have methods dump it into a buffer and then dump the buffer to FILE *, when the former method is only used in the latter method and nowhere else. 2024-02-21 Jakub Jelinek <ja...@redhat.com> PR ipa/111960 * profile-count.h (profile_count::dump): Remove overload with char * first argument. * profile-count.cc (profile_count::dump): Change overload with char * first argument which uses sprintf into the overfload with FILE * first argument and use fprintf instead. Remove overload which wrapped it. --- gcc/profile-count.h.jj 2024-01-03 11:51:30.309748150 +0100 +++ gcc/profile-count.h 2024-02-21 21:04:22.338905728 +0100 @@ -1299,9 +1299,6 @@ public: /* Output THIS to F. */ void dump (FILE *f, struct function *fun = NULL) const; - /* Output THIS to BUFFER. */ - void dump (char *buffer, struct function *fun = NULL) const; - /* Print THIS to stderr. */ void debug () const; --- gcc/profile-count.cc.jj 2024-01-03 11:51:40.782602796 +0100 +++ gcc/profile-count.cc 2024-02-21 21:05:28.521994913 +0100 @@ -84,34 +84,24 @@ const char *profile_quality_display_name "precise" }; -/* Dump THIS to BUFFER. */ +/* Dump THIS to F. */ void -profile_count::dump (char *buffer, struct function *fun) const +profile_count::dump (FILE *f, struct function *fun) const { if (!initialized_p ()) - sprintf (buffer, "uninitialized"); + fprintf (f, "uninitialized"); else if (fun && initialized_p () && fun->cfg && ENTRY_BLOCK_PTR_FOR_FN (fun)->count.initialized_p ()) - sprintf (buffer, "%" PRId64 " (%s, freq %.4f)", m_val, + fprintf (f, "%" PRId64 " (%s, freq %.4f)", m_val, profile_quality_display_names[m_quality], to_sreal_scale (ENTRY_BLOCK_PTR_FOR_FN (fun)->count).to_double ()); else - sprintf (buffer, "%" PRId64 " (%s)", m_val, + fprintf (f, "%" PRId64 " (%s)", m_val, profile_quality_display_names[m_quality]); } -/* Dump THIS to F. */ - -void -profile_count::dump (FILE *f, struct function *fun) const -{ - char buffer[64]; - dump (buffer, fun); - fputs (buffer, f); -} - /* Dump THIS to stderr. */ void patch certainly fixes the buffer overflow... Or of course just enlarge the buffer. But, I don't really see anything that would bound sreal values to be within some small double range, the range of m_exp is range of int, so in theory the ldexp can always overflow to infinity or result in close to maximum finite representable doubles.