From fa3242a619ac28864f02568dd732646db5503300 Mon Sep 17 00:00:00 2001
From: James Tabor <james.tabor@reactos.org>
Date: Fri, 14 Mar 2014 02:39:18 +0000
Subject: [PATCH] [Win32k] - Patch by Maxim Andreyanov : CreateWindowEx have to
 set error when menu handle is invalid. - See CORE-7980.

svn path=/trunk/; revision=62494
---
 reactos/win32ss/user/ntuser/object.c | 41 ++++++++++++++++++++++++++++
 reactos/win32ss/user/ntuser/object.h |  1 +
 reactos/win32ss/user/ntuser/window.c | 10 +++++++
 3 files changed, 52 insertions(+)

diff --git a/reactos/win32ss/user/ntuser/object.c b/reactos/win32ss/user/ntuser/object.c
index 363e175a28f..4f7f1da4257 100644
--- a/reactos/win32ss/user/ntuser/object.c
+++ b/reactos/win32ss/user/ntuser/object.c
@@ -554,6 +554,47 @@ HANDLE FASTCALL ValidateHandleNoErr(HANDLE handle, HANDLE_TYPE type)
    if (handle) return (PWND)UserGetObjectNoErr(gHandleTable, handle, type);
    return NULL;
 }
+
+PVOID FASTCALL ValidateHandle(HANDLE handle, HANDLE_TYPE type)
+{
+  PVOID pObj;
+  DWORD dwError = 0;
+  if (handle) 
+  {
+      pObj = UserGetObjectNoErr(gHandleTable, handle, type);
+      if (!pObj)
+      {
+          switch (type)
+          {  
+              case TYPE_WINDOW:
+                  dwError = ERROR_INVALID_WINDOW_HANDLE;
+                  break;
+              case TYPE_MENU:
+                  dwError = ERROR_INVALID_MENU_HANDLE;
+                  break;
+              case TYPE_CURSOR:
+                  dwError = ERROR_INVALID_CURSOR_HANDLE;
+                  break;
+              case TYPE_SETWINDOWPOS:
+                  dwError = ERROR_INVALID_DWP_HANDLE;
+                  break;
+              case TYPE_HOOK:
+                  dwError = ERROR_INVALID_HOOK_HANDLE;
+                  break;
+              case TYPE_ACCELTABLE:
+                  dwError = ERROR_INVALID_ACCEL_HANDLE;
+                  break;
+              default:
+                  dwError = ERROR_INVALID_HANDLE;
+                  break;
+          }
+          EngSetLastError(dwError);
+          return NULL;
+      }
+      return pObj;
+  }
+  return NULL;
+}
       
 /*
  * NtUserValidateHandleSecure
diff --git a/reactos/win32ss/user/ntuser/object.h b/reactos/win32ss/user/ntuser/object.h
index bbfbde686d2..f305633dea2 100644
--- a/reactos/win32ss/user/ntuser/object.h
+++ b/reactos/win32ss/user/ntuser/object.h
@@ -19,6 +19,7 @@ BOOL FASTCALL UserObjectInDestroy(HANDLE);
 void DbgUserDumpHandleTable();
 VOID FASTCALL UserSetObjectOwner(PVOID obj, HANDLE_TYPE type, PVOID owner);
 HANDLE FASTCALL ValidateHandleNoErr(HANDLE handle, HANDLE_TYPE type);
+PVOID FASTCALL ValidateHandle(HANDLE handle, HANDLE_TYPE type);
 
 static __inline VOID
 UserRefObjectCo(PVOID obj, PUSER_REFERENCE_ENTRY UserReferenceEntry)
diff --git a/reactos/win32ss/user/ntuser/window.c b/reactos/win32ss/user/ntuser/window.c
index 90382406243..11915109217 100644
--- a/reactos/win32ss/user/ntuser/window.c
+++ b/reactos/win32ss/user/ntuser/window.c
@@ -2571,6 +2571,16 @@ NtUserCreateWindowEx(
 
     ASSERT(plstrWindowName);
 
+    if ( (dwStyle & (WS_POPUP|WS_CHILD)) != WS_CHILD) 
+    {
+        /* check hMenu is valid handle */
+        if (hMenu && !ValidateHandle(hMenu, TYPE_MENU))
+        {
+            /* error is set in ValidateHandle */
+            return NULL;
+        }
+    } 
+
     /* Copy the window name to kernel mode */
     Status = ProbeAndCaptureLargeString(&lstrWindowName, plstrWindowName);
     if (!NT_SUCCESS(Status))