From e8fe7004c7385f1df3335401300691926c6e0d80 Mon Sep 17 00:00:00 2001
From: Robert Shearman <rob@codeweavers.com>
Date: Mon, 27 Mar 2006 16:55:37 +0100
Subject: [PATCH] shell32: Adding a systray item with an invalid icon handle is
 allowed.

---
 dlls/shell32/systray.c      | 12 +++++++++---
 programs/explorer/systray.c |  8 +-------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/dlls/shell32/systray.c b/dlls/shell32/systray.c
index a99912fc158..32213cb9874 100644
--- a/dlls/shell32/systray.c
+++ b/dlls/shell32/systray.c
@@ -99,21 +99,26 @@ BOOL WINAPI Shell_NotifyIconW(DWORD dwMessage, PNOTIFYICONDATAW nid)
         LONG cbColourBits;
 
         if (!GetIconInfo(nid->hIcon, &iconinfo))
-            return FALSE;
+            goto noicon;
 
         if (!GetObjectW(iconinfo.hbmMask, sizeof(bmMask), &bmMask) ||
             !GetObjectW(iconinfo.hbmColor, sizeof(bmColour), &bmColour))
         {
             DeleteObject(iconinfo.hbmMask);
             DeleteObject(iconinfo.hbmColor);
-            return FALSE;
+            goto noicon;
         }
 
         cbMaskBits = (bmMask.bmPlanes * bmMask.bmWidth * bmMask.bmHeight * bmMask.bmBitsPixel) / 8;
         cbColourBits = (bmColour.bmPlanes * bmColour.bmWidth * bmColour.bmHeight * bmColour.bmBitsPixel) / 8;
         cds.cbData = sizeof(*nid) + 2*sizeof(BITMAP) + cbMaskBits + cbColourBits;
         buffer = HeapAlloc(GetProcessHeap(), 0, cds.cbData);
-        if (!buffer) return FALSE;
+        if (!buffer)
+        {
+            DeleteObject(iconinfo.hbmMask);
+            DeleteObject(iconinfo.hbmColor);
+            return FALSE;
+        }
         cds.lpData = buffer;
 
         memcpy(buffer, nid, sizeof(*nid));
@@ -132,6 +137,7 @@ BOOL WINAPI Shell_NotifyIconW(DWORD dwMessage, PNOTIFYICONDATAW nid)
     }
     else
     {
+noicon:
         cds.cbData = sizeof(*nid);
         cds.lpData = nid;
     }
diff --git a/programs/explorer/systray.c b/programs/explorer/systray.c
index adf8460980a..00036ff8d79 100644
--- a/programs/explorer/systray.c
+++ b/programs/explorer/systray.c
@@ -259,7 +259,7 @@ static void handle_incoming(HWND hwndSource, COPYDATASTRUCT *cds)
 
     /* FIXME: if statement only needed because we don't support interprocess
      * icon handles */
-    if (nid.uFlags & NIF_ICON)
+    if ((nid.uFlags & NIF_ICON) && (cds->cbData >= sizeof(nid) + 2 * sizeof(BITMAP)))
     {
         LONG cbMaskBits;
         LONG cbColourBits;
@@ -269,12 +269,6 @@ static void handle_incoming(HWND hwndSource, COPYDATASTRUCT *cds)
 
         buffer += sizeof(nid);
 
-        if (cds->cbData < sizeof(nid) + 2 * sizeof(BITMAP))
-        {
-            WINE_ERR("buffer underflow\n");
-            return;
-        }
-
         memcpy(&bmMask, buffer, sizeof(bmMask));
         buffer += sizeof(bmMask);
         memcpy(&bmColour, buffer, sizeof(bmColour));