[New-bugs-announce] [issue22391] MSILIB truncates last character in summary information stream

Kevin Phillips report at bugs.python.org
Thu Sep 11 18:53:29 CEST 2014

New submission from Kevin Phillips:

I recently exploited a subtle bug with the msilib module's GetProperty method on the SummaryInformation class. When retrieving string-typed properties from the stream the last character in the string gets truncated, replaced by a null-byte.

I am using Python v3.2.5 64bit on Windows 7, and I've managed to reproduce the error with the following code snippet:

filename = "sample.msp"
patch_database = msilib.OpenDatabase(filename, msilib.MSIDBOPEN_READONLY | msilib.MSIDBOPEN_PATCHFILE)
summary_info = patch_database.GetSummaryInformation(20)
print (summary_info.GetProperty(msilib.PID_REVNUMBER))

The PID_REVNUMBER returns the patch-GUID for the Windows Installer patch file. In this example the GUID is returned properly however the character string is supposed to be delimited by curly braces - { }. Examination of the returned byte array shows that the leading curly brace is included by the final curly brace is not. Closer examination also shows that the last character in the byte array is \x00.

While it is possible, in this situation, to circumvent the bug by simply removing the trailing bytes and replacing them with a closing curly brace, this may not be so easy to work around for general character strings if the last character in the sequence is not static. As such I'd highly recommend fixing this in the source for the msilib module.

components: Library (Lib), Windows
messages: 226789
nosy: Kevin.Phillips
priority: normal
severity: normal
status: open
title: MSILIB truncates last character in summary information stream
type: behavior
versions: Python 3.2

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list