From 5b4d1dbd4b2e0c55261edd915985bc986d3f5a18 Mon Sep 17 00:00:00 2001
From: Katayama Hirofumi MZ <katayama.hirofumi.mz@gmail.com>
Date: Fri, 6 Jun 2025 22:37:27 +0900
Subject: [PATCH] [NTUSER] IntTrackPopupMenuEx: Check TPMPARAMS.cbSize (#8092)

Validate structure size.
JIRA issue: CORE-3247
- In IntTrackPopupMenuEx function,
  if lpTpm was non-NULL, then
  validate lpTpm->cbSize.
- If validation failed, then set last
  error and return FALSE.
---
 win32ss/user/ntuser/menu.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/win32ss/user/ntuser/menu.c b/win32ss/user/ntuser/menu.c
index 6c454ae4d87..62dc07c62a6 100644
--- a/win32ss/user/ntuser/menu.c
+++ b/win32ss/user/ntuser/menu.c
@@ -4580,6 +4580,13 @@ BOOL WINAPI IntTrackPopupMenuEx( PMENU menu, UINT wFlags, int x, int y,
     BOOL ret = FALSE;
     PTHREADINFO pti = PsGetCurrentThreadWin32Thread();
 
+    if (lpTpm && lpTpm->cbSize != sizeof(*lpTpm))
+    {
+        ERR("Invalid TPMPARAMS size: got %u, expected %zu\n", lpTpm->cbSize, sizeof(*lpTpm));
+        EngSetLastError(ERROR_INVALID_PARAMETER);
+        return FALSE;
+    }
+
     if (pti != pWnd->head.pti)
     {
        ERR("Must be the same pti!\n");