http://bugs.winehq.org/show_bug.cgi?id=12307
--- Comment #20 from Michael Karcher wine@mkarcher.dialup.fu-berlin.de 2008-08-19 01:37:11 --- Its an uniscript bug, not a Firefox bug.
ScriptPlace is called with hdc=0. According to MSDN this is OK, and means to use cached metrics/indices information only. Wine puts a DC into the script cache when it is created, and tries to use this DC to obtain font information, regardless of what DC is passed. This is wrong. Wine must use the DC passed to ScriptPlace instead. The crash is caused by the DC in the cache (which should not be there!) being stale. The stale hDC creates a chain reaction that leads to the crash: a) GetGlyphIndicesW fails because of the stale DC in the cache. This failure does not get propagated in ScriptPlace, so ScriptPlace returns garbage in it output buffer without telling anyone that there is garbage. b) ExtTextOutW is called with a valid DC and the uninitialized glyph index list. This causes GetGlyphOutline to fail, as these uninitialized values are invalid. c) This causes UploadGlyph to fail. d) This causes a crash in ExtTextOutW later.
The suggested patches fix d), which is worth fixing, but the real problem is that Wine's SCRIPT_CACHE contains a DC the application might have (and firefox does so) deleted a long time ago.