In NtUserInsertMenuItem, try to copy the whole MENUITEMINFOW structure from caller. If it fails, try without the last field Modified: trunk/reactos/subsys/win32k/ntuser/menu.c _____
Modified: trunk/reactos/subsys/win32k/ntuser/menu.c --- trunk/reactos/subsys/win32k/ntuser/menu.c 2005-11-23 13:13:09 UTC (rev 19484) +++ trunk/reactos/subsys/win32k/ntuser/menu.c 2005-11-23 13:45:34 UTC (rev 19485) @@ -907,7 +907,7 @@
pos = IntInsertMenuItemToList(MenuObject, MenuItem, pos);
- DPRINT("IntInsertMenuItemToList = %i\n", pos); + DPRINT("IntInsertMenuItemToList = %i\n", pos);
return (pos >= 0); } @@ -1554,24 +1554,37 @@
if(!(Menu = UserGetMenuObject(hMenu))) { - RETURN(0); + RETURN( FALSE); }
+ /* Try to copy the whole MENUITEMINFOW structure */ Status = MmCopyFromCaller(&ItemInfo, UnsafeItemInfo, sizeof(MENUITEMINFOW)); - if (! NT_SUCCESS(Status)) + if (NT_SUCCESS(Status)) { - SetLastNtError(Status); - RETURN( FALSE); + if (sizeof(MENUITEMINFOW) != ItemInfo.cbSize + && FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != ItemInfo.cbSize) + { + SetLastWin32Error(ERROR_INVALID_PARAMETER); + RETURN( FALSE); + } + RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo)); } - /* structure can be 44 bytes or 48 bytes in size - if (ItemInfo.cbSize != sizeof(MENUITEMINFOW)) + + /* Try to copy without last field (not present in older versions) */ + Status = MmCopyFromCaller(&ItemInfo, UnsafeItemInfo, FIELD_OFFSET(MENUITEMINFOW, hbmpItem)); + if (NT_SUCCESS(Status)) { - SetLastWin32Error(ERROR_INVALID_PARAMETER); - RETURN( FALSE); + if (FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != ItemInfo.cbSize) + { + SetLastWin32Error(ERROR_INVALID_PARAMETER); + RETURN( FALSE); + } + ItemInfo.hbmpItem = (HBITMAP)0; + RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo)); } - */
- RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo)); + SetLastNtError(Status); + RETURN( FALSE);
CLEANUP: DPRINT("Leave NtUserInsertMenuItem, ret=%i\n",_ret_); @@ -1955,7 +1968,7 @@ return( FALSE); } if (sizeof(MENUITEMINFOW) != Size - && sizeof(MENUITEMINFOW) - sizeof(HBITMAP) != Size + && FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != Size && sizeof(ROSMENUITEMINFO) != Size) { SetLastWin32Error(ERROR_INVALID_PARAMETER); @@ -1969,7 +1982,7 @@ } /* If this is a pre-0x0500 _WIN32_WINNT MENUITEMINFOW, you can't set/get hbmpItem */ - if (sizeof(MENUITEMINFOW) - sizeof(HBITMAP) == Size + if (FIELD_OFFSET(MENUITEMINFOW, hbmpItem) == Size && 0 != (ItemInfo.fMask & MIIM_BITMAP)) { SetLastWin32Error(ERROR_INVALID_PARAMETER);