http://bugs.winehq.org/show_bug.cgi?id=18915
--- Comment #2 from Yuri Khan yurivkhan@gmail.com 2009-06-12 12:38:50 --- I have reviewed the code in file dlls/shdocvw/taskbarlist.c and identified the crash reason. The factory function
HRESULT TaskbarList_Create(IUnknown *outer, REFIID riid, void **taskbar_list)
does not check its riid parameter and always returns a pointer to the ITaskbarList interface of the newly created object, no matter what the client asked for.
If the client asks for an unrelated interface, trouble will happen when the client tries to invoke that interface's methods (code of the ITaskbarList method with the same vtable index will be called).
If the client asks for an extension of ITaskbarList (e.g. ITaskbarList2 or ITaskbarList3) and tries to call any extended methods, it will read the vtbl beyond its end and jump to a bogus location.
The ITaskbarList3 interface, in particular, is used to provide Windows 7 taskbar integration.
The conventional way to implement a COM class factory is to QueryInterface the newly created object for the requested riid.