From 41dbacdc71d86770ab81ab86b7e014ced96c8d8d Mon Sep 17 00:00:00 2001
From: Dylan Smith <dylan.ah.smith@gmail.com>
Date: Sun, 18 Jul 2010 00:59:34 -0400
Subject: [PATCH] user32: RegisterClassEx should check for invalid cbSize
 field.

---
 dlls/user32/class.c       |  4 ++--
 dlls/user32/tests/class.c | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/dlls/user32/class.c b/dlls/user32/class.c
index 72cafc793bc..6d1ab7feb71 100644
--- a/dlls/user32/class.c
+++ b/dlls/user32/class.c
@@ -486,7 +486,7 @@ ATOM WINAPI RegisterClassExA( const WNDCLASSEXA* wc )
     CLASS *classPtr;
     HINSTANCE instance;
 
-    if (wc->cbClsExtra < 0 || wc->cbWndExtra < 0 ||
+    if (wc->cbSize != sizeof(*wc) || wc->cbClsExtra < 0 || wc->cbWndExtra < 0 ||
         wc->hInstance == user32_module)  /* we can't register a class for user32 */
     {
          SetLastError( ERROR_INVALID_PARAMETER );
@@ -535,7 +535,7 @@ ATOM WINAPI RegisterClassExW( const WNDCLASSEXW* wc )
     CLASS *classPtr;
     HINSTANCE instance;
 
-    if (wc->cbClsExtra < 0 || wc->cbWndExtra < 0 ||
+    if (wc->cbSize != sizeof(*wc) || wc->cbClsExtra < 0 || wc->cbWndExtra < 0 ||
         wc->hInstance == user32_module)  /* we can't register a class for user32 */
     {
          SetLastError( ERROR_INVALID_PARAMETER );
diff --git a/dlls/user32/tests/class.c b/dlls/user32/tests/class.c
index 33c78bfa89b..800d763f303 100644
--- a/dlls/user32/tests/class.c
+++ b/dlls/user32/tests/class.c
@@ -315,6 +315,7 @@ static void check_thread_instance( const char *name, HINSTANCE inst, HINSTANCE i
 static void test_instances(void)
 {
     WNDCLASSA cls, wc;
+    WNDCLASSEXA wcexA;
     HWND hwnd, hwnd2;
     const char *name = "__test__";
     HINSTANCE kernel32 = GetModuleHandleA("kernel32");
@@ -348,6 +349,25 @@ static void test_instances(void)
     check_thread_instance( name, kernel32, kernel32, kernel32 );
     ok( UnregisterClassA( name, kernel32 ), "Unregister failed for kernel32\n" );
 
+    ZeroMemory(&wcexA, sizeof(wcexA));
+    wcexA.lpfnWndProc = DefWindowProcA;
+    wcexA.lpszClassName = "__classex_test__";
+    SetLastError(0xdeadbeef);
+    wcexA.cbSize = sizeof(wcexA) - 1;
+    ok( ((RegisterClassExA( &wcexA ) == 0) && (GetLastError() == ERROR_INVALID_PARAMETER)),
+          "Succeeded with invalid number of cbSize bytes\n");
+    SetLastError(0xdeadbeef);
+    wcexA.cbSize = sizeof(wcexA) + 1;
+    ok( ((RegisterClassExA( &wcexA ) == 0) && (GetLastError() == ERROR_INVALID_PARAMETER)),
+          "Succeeded with invalid number of cbSize bytes\n");
+    SetLastError(0xdeadbeef);
+    wcexA.cbSize = sizeof(wcexA);
+    ok( RegisterClassExA( &wcexA ), "Failed with valid number of cbSize bytes\n");
+    wcexA.cbSize = 0xdeadbeef;
+    ok( GetClassInfoEx(main_module, wcexA.lpszClassName, &wcexA), "GetClassInfoEx failed\n");
+    ok( wcexA.cbSize == 0xdeadbeef, "GetClassInfoEx returned wrong cbSize value %d\n", wcexA.cbSize);
+    UnregisterClassA(wcexA.lpszClassName, main_module);
+
     /* Bug 2631 - Supplying an invalid number of bytes fails */
     cls.cbClsExtra    = 0;
     cls.cbWndExtra    = -1;