I still don’t understand how changing this from short int to int fixes the compiler error:

src/output.c:424:18: error: ‘%.*g’ directive writing between 1 and 310 bytes into a region of size between 76 and 92 [-Werror=format-overflow=]  424 |       "%2ud %2um %.*gs",      |                  ^~~~src/output.c:424:7: note: assuming directive output of 309 bytes  424 |       "%2ud %2um %.*gs",      |       ^~~~~~~~~~~~~~~~~

but I do 100% agree that the argument to sprintf should be int. I’m going to just chalk this up to this gcc version not being quite right.

@esabol sprintf takes variadic arguments that is implemented using va_list in C language. sprintf decides how to format the memory chunk with arguments based on the template. I guess, it is like to read raw bytes from a stream and try to interpret them. There is an undefined behaviour if sprintf expects int type (4 bytes), but short int (2 bytes) is passed instead. It seems 2 extra bytes belong to the next argument, depending on the implementation of va_list. It is a real bug that can lead to some unexpected program behaviour and it should be fixed.

The problem with some magic numbers in temporary buffers is not so important. The case with buffer overflow is unlikely in this case. If we want to redesign this behaviour it should be rewritten completely. Some checks for buffer overflows should be implemented.

P.S.
Man sprintf tells:

A field width, or precision, or both, may be indicated by an asterisk ( '*' ). In this case an argument of typeint supplies the field width or precision. Applications shall ensure that arguments specifying field width, or precision, or both appear in that order before the argument, if any, to be converted.