Fix stack buffer overflow in LocalizeRadix()

gladiator9797 · gladiator9797 · commit e8feba9c02ba · 2026-03-20T08:20:01.000+07:00
LocalizeRadix() uses strcpy() to copy the remainder of the input string
into an 80-byte stack buffer without bounds checking. When parsing a
floating-point number longer than ~78 characters in a locale where the
radix character differs from '.', the strcpy overflows the buffer.

The fix replaces the fixed-size stack buffer with a dynamically sized
one (stack-allocated up to 256 bytes, heap-allocated for longer strings),
and uses memcpy with explicit length instead of strcpy.

Reproducer:
  LC_ALL=de_DE.UTF-8
  Parse float string "1.000...001" with &gt;80 characters
  -&gt; AddressSanitizer: stack-buffer-overflow in LocalizeRadix (strtod.c:43)
diff --git a/upb/lex/strtod.c b/upb/lex/strtod.c
@@ -31,16 +31,20 @@ static int GetLocaleRadix(char *data, size_t capacity) {
 
 // Populates a string identical to *input except that the character pointed to
 // by pos (which should be '.') is replaced with the locale-specific radix.
+// output must have at least input_len + 8 bytes of space.
 
-static void LocalizeRadix(const char *input, const char *pos, char *output) {
-  const int len1 = pos - input;
+static void LocalizeRadix(const char *input, size_t input_len, const char *pos,
+                           char *output) {
+  const size_t len1 = pos - input;
 
   char radix[8];
   const int len2 = GetLocaleRadix(radix, sizeof(radix));
+  const size_t len3 = input_len - len1 - 1;
 
   memcpy(output, input, len1);
   memcpy(output + len1, radix, len2);
-  strcpy(output + len1 + len2, input + len1 + 1);
+  memcpy(output + len1 + len2, input + len1 + 1, len3);
+  output[len1 + len2 + len3] = '\0';
 }
 
 double _upb_NoLocaleStrtod(const char *str, char **endptr) {
@@ -59,8 +63,16 @@ double _upb_NoLocaleStrtod(const char *str, char **endptr) {
   // try to replace the '.' with a locale-specific radix character and
   // try again.
 
-  char localized[80];
-  LocalizeRadix(str, temp_endptr, localized);
+  const size_t str_len = strlen(str);
+  // Extra space for locale radix which may be multi-byte.
+  const size_t buf_size = str_len + 8;
+  char stack_buf[256];
+  char *localized = buf_size <= sizeof(stack_buf)
+                        ? stack_buf
+                        : (char *)malloc(buf_size);
+  if (!localized) return result;
+
+  LocalizeRadix(str, str_len, temp_endptr, localized);
   char *localized_endptr;
   result = strtod(localized, &localized_endptr);
   if ((localized_endptr - &localized[0]) > (temp_endptr - str)) {
@@ -73,5 +85,7 @@ double _upb_NoLocaleStrtod(const char *str, char **endptr) {
     }
   }
 
+  if (localized != stack_buf) free(localized);
+
   return result;
 }
