[RTS] Harden against buffer overflow

This sprintf is safe thanks to the guarantees on the format strings that
we pass to it.  Well, almost. The GR_FILENAME_FMT_GUM format would not
have satisfied them if it was still used.

If someone makes a mistake that's a potential privilege escalation,
so I think it's reasonable to switch to snprintf to protect against
that remote possibility.

Test Plan: it builds, CI

Reviewers: simonmar, bgamari, austin, erikd

Reviewed By: bgamari

Subscribers: rwbarton, thomie

Differential Revision: https://phabricator.haskell.org/D3944

2 files changed, 2 insertions, 2 deletions

diff --git a/includes/rts/Flags.h b/includes/rts/Flags.h
index 6700f9d95f..6040201c73 100644
--- a/includes/rts/Flags.h
+++ b/includes/rts/Flags.h
@@ -263,7 +263,6 @@ extern RTS_FLAGS RtsFlags;
 #define STATS_FILENAME_MAXLEN	128
 
 #define GR_FILENAME_FMT		"%0.124s.gr"
-#define GR_FILENAME_FMT_GUM	"%0.120s.%03d.%s"
 #define HP_FILENAME_FMT		"%0.124s.hp"
 #define LIFE_FILENAME_FMT	"%0.122s.life"
 #define PROF_FILENAME_FMT	"%0.122s.prof"
diff --git a/rts/RtsFlags.c b/rts/RtsFlags.c
index 06d59f0550..ec21ef1050 100644
--- a/rts/RtsFlags.c
+++ b/rts/RtsFlags.c
@@ -1636,7 +1636,8 @@ openStatsFile (char *filename,           // filename, or NULL
             }
             /* default <program>.<ext> */
             char stats_filename[STATS_FILENAME_MAXLEN];
-            sprintf(stats_filename, filename_fmt, prog_name);
+            snprintf(stats_filename, STATS_FILENAME_MAXLEN, filename_fmt,
+                prog_name);
             f = fopen(stats_filename,"w");
         }
         if (f == NULL) {