hello.
There is a stack buffer overflow of Record object in msilib

After brief analysis, I was able to find that implementation of Record.GetString methods has a stack overflow vulnerability.
It seem to be implemented in msi.pyd file.

Vulnerable code snippet is below. pccValueBuf is the length of MsiRecordGetStringW() API, szValueBuf is a output buffer also this buffer has 4000 byte space from rsp, which means 2000 size of WCHAR.
I think there is slight mistake to calculate the buffer size.
Despite WCHAR is 2 byte, output size is still 4000, therefore stack buffer overflow could be happen.

v3 = PyLong_AsUnsignedLongMask(a2);  if ( v3 == -1 && PyErr_Occurred() )    return 0i64;  v5 = *(_DWORD *)(a1 + 16);  pcchValueBuf[0] = 4000;  v6 = szValueBuf;  StringW = MsiRecordGetStringW(v5, v3, szValueBuf, pcchValueBuf);

Test environment is Windows 10 as well as python version is 3.10.6
This bug can triggered by below PoC code.

import msilibimport msilib.schemadatabase = msilib.init_database('test', msilib.schema, 'testProduct',  msilib.gen_uuid(), 'testVersion', 'testManufacturer')records = [('a',1,'c','d'*2000)]msilib.add_data(database, 'CustomAction', records)database.Commit()database.Close()database = msilib.OpenDatabase('test', msilib.MSIDBOPEN_READONLY)view = database.OpenView("select Target from CustomAction where `Action`= 'a'")view.Execute(None)record = view.Fetch()record.GetString(1)

Feel free to any question and If any what I have to know, please let me know.
Best Regards.
Thank you.