Index: win32ss/user/ntuser/object.c
===================================================================
--- win32ss/user/ntuser/object.c	(revision 62482)
+++ win32ss/user/ntuser/object.c	(working copy)
@@ -554,6 +554,47 @@
    if (handle) return (PWND)UserGetObjectNoErr(gHandleTable, handle, type);
    return NULL;
 }
+
+PVOID FASTCALL ValidateHandle(HANDLE handle, HANDLE_TYPE type)
+{
+  PVOID pObj;
+  DWORD dwError = 0;
+  if (handle) 
+  {
+      pObj = UserGetObjectNoErr(gHandleTable, handle, type);
+      if (!pObj)
+      {
+          switch (type)
+          {  
+              case TYPE_WINDOW:
+                  dwError = ERROR_INVALID_WINDOW_HANDLE;
+                  break;
+              case TYPE_MENU:
+                  dwError = ERROR_INVALID_MENU_HANDLE;
+                  break;
+              case TYPE_CURSOR:
+                  dwError = ERROR_INVALID_CURSOR_HANDLE;
+                  break;
+              case TYPE_SETWINDOWPOS:
+                  dwError = ERROR_INVALID_DWP_HANDLE;
+                  break;
+              case TYPE_HOOK:
+                  dwError = ERROR_INVALID_HOOK_HANDLE;
+                  break;
+              case TYPE_ACCELTABLE:
+                  dwError = ERROR_INVALID_ACCEL_HANDLE;
+                  break;
+              default:
+                  dwError = ERROR_INVALID_HANDLE;
+                  break;
+          }
+          EngSetLastError(dwError);
+          return NULL;
+      }
+      return pObj;
+  }
+  return NULL;
+}
       
 /*
  * NtUserValidateHandleSecure
Index: win32ss/user/ntuser/object.h
===================================================================
--- win32ss/user/ntuser/object.h	(revision 62482)
+++ win32ss/user/ntuser/object.h	(working copy)
@@ -19,6 +19,7 @@
 void DbgUserDumpHandleTable();
 VOID FASTCALL UserSetObjectOwner(PVOID obj, HANDLE_TYPE type, PVOID owner);
 HANDLE FASTCALL ValidateHandleNoErr(HANDLE handle, HANDLE_TYPE type);
+PVOID FASTCALL ValidateHandle(HANDLE handle, HANDLE_TYPE type);
 
 static __inline VOID
 UserRefObjectCo(PVOID obj, PUSER_REFERENCE_ENTRY UserReferenceEntry)
Index: win32ss/user/ntuser/window.c
===================================================================
--- win32ss/user/ntuser/window.c	(revision 62482)
+++ win32ss/user/ntuser/window.c	(working copy)
@@ -2571,6 +2571,16 @@
 
     ASSERT(plstrWindowName);
 
+    if ( (dwStyle&(WS_POPUP|WS_CHILD)) != WS_CHILD) 
+    {
+        /* check hMenu is valid handle */
+        if (hMenu && !ValidateHandle(hMenu, TYPE_MENU))
+        {
+            /* error is set in ValidateHandle */
+            return NULL;
+        }
+    } 
+
     /* Copy the window name to kernel mode */
     Status = ProbeAndCaptureLargeString(&lstrWindowName, plstrWindowName);
     if (!NT_SUCCESS(Status))