SIGABRT with "free(): invalid next size (normal)" in HPCupsFilter::cleanup
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
HPLIP |
New
|
Undecided
|
Unassigned |
Bug Description
I have been seeing a crash when printing for some time. I have attached an example of a file which causes the crash.
dagon:/tmp# /usr/lib/
<...see transcript.txt...>
dagon:/tmp# /usr/lib/
<...see transcript.txt...>
dagon:/tmp# /usr/lib/
STATE: -marker-
PAGE: 1 1
PAGE: 2 1
free(): invalid next size (normal)
Aborted (core dumped)
dagon:/tmp# gdb /usr/lib/
...
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/
#1 0x00007f5af802c537 in __GI_abort () at abort.c:79
#2 0x00007f5af80856c8 in __libc_message (action=
#3 0x00007f5af808c9ba in malloc_printerr (str=str@
#4 0x00007f5af808de8c in _int_free (av=0x7f5af81c5b80 <main_arena>, p=0x561e3ecd1fc0, have_lock=
#5 0x0000561e3d1255c6 in HPCupsFilter:
#6 0x0000561e3d127df1 in HPCupsFilter:
#7 HPCupsFilter:
#8 0x00007f5af802dcca in __libc_start_main (main=0x561e3d1
#9 0x0000561e3d124efa in _start () at prnt/hpcups/
The tail of an strace (from a different run to the above gdb session) is:
...
unlink(
write(1, "\33E", 2) = 2
write(1, "\33%-12345X", 9) = 9
writev(2, [{iov_base="free(): invalid next size (norma"..., iov_len=34}, {iov_base="\n", iov_len=1}], 2) = 35
mmap(NULL, 4096, PROT_READ|
rt_sigprocmask(
rt_sigprocmask(
getpid() = 2424977
gettid() = 2424977
tgkill(2424977, 2424977, SIGABRT) = 0
rt_sigprocmask(
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2424977, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++
I am running Debian's package version 3.20.9+dfsg0-4
Perhaps also useful:
dagon:/tmp# valgrind /usr/lib/ cups/filter/ hpcups 1 debian '' 1 '' <print_ step_2. raster >print_ step_3. hpcups cups/filter/ hpcups 1 debian 1 supply- low-warning stubs.c: 323) stream. c:1372) Pixels (raster- stream. c:782) :processRasterD ata(_cups_ raster_ s*) (HPCupsFilter. cpp:745) :StartPrintJob( int, char**) (HPCupsFilter. cpp:584) malloc. c:431) :startPage( cups_page_ header2_ s*) (HPCupsFilter. cpp:500) :processRasterD ata(_cups_ raster_ s*) (HPCupsFilter. cpp:655) :StartPrintJob( int, char**) (HPCupsFilter. cpp:584)
==2475946== Memcheck, a memory error detector
==2475946== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2475946== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2475946== Command: /usr/lib/
==2475946==
STATE: -marker-
PAGE: 1 1
PAGE: 2 1
==2475946== Syscall param read(buf) points to unaddressable byte(s)
==2475946== at 0x4A1D04E: read (read.c:26)
==2475946== by 0x4948F4C: UnknownInlinedFun (unistd.h:44)
==2475946== by 0x4948F4C: cups_read_fd (raster-
==2475946== by 0x494827F: cups_raster_io (raster-
==2475946== by 0x494827F: _cupsRasterRead
==2475946== by 0x1126E7: HPCupsFilter:
==2475946== by 0x112DBE: HPCupsFilter:
==2475946== by 0x4C41CC9: (below main) (libc-start.c:308)
==2475946== Address 0x5adcf44 is 0 bytes after a block of size 11,140 alloc'd
==2475946== at 0x483950F: operator new[](unsigned long) (vg_replace_
==2475946== by 0x111BE8: HPCupsFilter:
==2475946== by 0x112792: HPCupsFilter:
==2475946== by 0x112DBE: HPCupsFilter:
==2475946== by 0x4C41CC9: (below main) (libc-start.c:308)
==2475946==
==2475946==
==2475946== HEAP SUMMARY:
==2475946== in use at exit: 18,040 bytes in 5 blocks
==2475946== total heap usage: 2,179 allocs, 2,174 frees, 939,079 bytes allocated
==2475946==
==2475946== LEAK SUMMARY:
==2475946== definitely lost: 11,108 bytes in 2 blocks
==2475946== indirectly lost: 0 bytes in 0 blocks
==2475946== possibly lost: 0 bytes in 0 blocks
==2475946== still reachable: 6,932 bytes in 3 blocks
==2475946== suppressed: 0 bytes in 0 blocks
==2475946== Rerun with --leak-check=full to see details of leaked memory
==2475946==
==2475946== For lists of detected and suppressed errors, rerun with: -s
==2475946== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)