stack buffer overflow of Record Object in msilib

[win32virus]

hello.
There is a stack buffer overflow of Record object in msilib

After brief analysis, I was able to find that implementation of Record.GetString methods has a stack overflow vulnerability.
It seem to be implemented in msi.pyd file.

Vulnerable code snippet is below. pccValueBuf is the length of MsiRecordGetStringW() API, szValueBuf is a output buffer also this buffer has 4000 byte space from rsp, which means 2000 size of WCHAR.
I think there is slight mistake to calculate the buffer size.
Despite WCHAR is 2 byte, output size is still 4000, therefore stack buffer overflow could be happen.

v3 = PyLong_AsUnsignedLongMask(a2);
  if ( v3 == -1 && PyErr_Occurred() )
    return 0i64;
  v5 = *(_DWORD *)(a1 + 16);
  pcchValueBuf[0] = 4000;
  v6 = szValueBuf;
  StringW = MsiRecordGetStringW(v5, v3, szValueBuf, pcchValueBuf);

Test environment is Windows 10 as well as python version is 3.10.6
This bug can triggered by below PoC code.

import msilib
import msilib.schema

database = msilib.init_database('test', msilib.schema, 'testProduct',  msilib.gen_uuid(), 'testVersion', 'testManufacturer')
records = [('a',1,'c','d'*2000)]
msilib.add_data(database, 'CustomAction', records)
database.Commit()
database.Close()

database = msilib.OpenDatabase('test', msilib.MSIDBOPEN_READONLY)
view = database.OpenView("select Target from CustomAction where `Action`= 'a'")
view.Execute(None)
record = view.Fetch()
record.GetString(1)

Feel free to any question and If any what I have to know, please let me know.
Best Regards.
Thank you.

[zooba]

Yeah, looks like this line should be using an array size calculation, not plain sizeof:

cpython/PC/_msi.c

Line 487 in 95e271b

DWORD size = sizeof(buf);

[kumaraditya303]

IIUC Py_ARRAY_LENGTH can be used there.