In NtUserInsertMenuItem, try to copy the whole MENUITEMINFOW structure from caller. If it fails, try without the last field
Modified: trunk/reactos/subsys/win32k/ntuser/menu.c
Modified: trunk/reactos/subsys/win32k/ntuser/menu.c
--- trunk/reactos/subsys/win32k/ntuser/menu.c	2005-11-23 13:13:09 UTC (rev 19484)
+++ trunk/reactos/subsys/win32k/ntuser/menu.c	2005-11-23 13:45:34 UTC (rev 19485)
@@ -907,7 +907,7 @@

 
    pos = IntInsertMenuItemToList(MenuObject, MenuItem, pos);
 

-    DPRINT("IntInsertMenuItemToList = %i\n", pos);

+   DPRINT("IntInsertMenuItemToList = %i\n", pos);

 
    return (pos >= 0);
 }
@@ -1554,24 +1554,37 @@

 
    if(!(Menu = UserGetMenuObject(hMenu)))
    {

-      RETURN(0);

+      RETURN( FALSE);

    }
 

+   /* Try to copy the whole MENUITEMINFOW structure */

    Status = MmCopyFromCaller(&ItemInfo, UnsafeItemInfo, sizeof(MENUITEMINFOW));

-   if (! NT_SUCCESS(Status))

+   if (NT_SUCCESS(Status))

    {

-      SetLastNtError(Status);
-      RETURN( FALSE);

+      if (sizeof(MENUITEMINFOW) != ItemInfo.cbSize
+         && FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != ItemInfo.cbSize)
+      {
+         SetLastWin32Error(ERROR_INVALID_PARAMETER);
+         RETURN( FALSE);
+      }
+      RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo));

    }

-   /* structure can be 44 bytes or 48 bytes in size
-   if (ItemInfo.cbSize != sizeof(MENUITEMINFOW))

+
+   /* Try to copy without last field (not present in older versions) */
+   Status = MmCopyFromCaller(&ItemInfo, UnsafeItemInfo, FIELD_OFFSET(MENUITEMINFOW, hbmpItem));
+   if (NT_SUCCESS(Status))

    {

-      SetLastWin32Error(ERROR_INVALID_PARAMETER);
-      RETURN( FALSE);

+      if (FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != ItemInfo.cbSize)
+      {
+         SetLastWin32Error(ERROR_INVALID_PARAMETER);
+         RETURN( FALSE);
+      }
+      ItemInfo.hbmpItem = (HBITMAP)0;
+      RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo));

    }

-   */

 

-   RETURN( IntInsertMenuItem(Menu, uItem, fByPosition, &ItemInfo));

+   SetLastNtError(Status);
+   RETURN( FALSE);

 
 CLEANUP:
    DPRINT("Leave NtUserInsertMenuItem, ret=%i\n",_ret_);
@@ -1955,7 +1968,7 @@

       return( FALSE);
    }
    if (sizeof(MENUITEMINFOW) != Size

-         && sizeof(MENUITEMINFOW) - sizeof(HBITMAP) != Size

+         && FIELD_OFFSET(MENUITEMINFOW, hbmpItem) != Size

          && sizeof(ROSMENUITEMINFO) != Size)
    {
       SetLastWin32Error(ERROR_INVALID_PARAMETER);
@@ -1969,7 +1982,7 @@

    }
    /* If this is a pre-0x0500 _WIN32_WINNT MENUITEMINFOW, you can't
       set/get hbmpItem */

-   if (sizeof(MENUITEMINFOW) - sizeof(HBITMAP) == Size

+   if (FIELD_OFFSET(MENUITEMINFOW, hbmpItem) == Size

          && 0 != (ItemInfo.fMask & MIIM_BITMAP))
    {
       SetLastWin32Error(ERROR_INVALID_PARAMETER);