gnome-settings-daemon crashed with SIGSEGV in dlopen_doit()

Binary package hint: gnome-settings-daemon

I've had gnome-settings-daemon crashing intermittently since Maverick, but after installing Natty I've found a way to crash it reproducibly. Apport does not produce a complete stacktrace because of bug #793292, so here is the relevant part of the stack trace:
#0 0x00007fa2ca2ef937 in elf_machine_rela (scope=0x1e31a90,
    reloc_mode=<value optimized out>, consider_profiling=0)
    at ../sysdeps/x86_64/dl-machine.h:295
#1 elf_dynamic_do_rela (scope=0x1e31a90, reloc_mode=<value optimized out>,
    consider_profiling=0) at do-rel.h:120
#2 _dl_relocate_object (scope=0x1e31a90, reloc_mode=<value optimized out>,
    consider_profiling=0) at dl-reloc.c:268
#3 0x00007fa2ca2f6db6 in dl_open_worker (a=0x7fff3acb07f0) at dl-open.c:339
#4 0x00007fa2ca2f2746 in _dl_catch_error (objname=0x7fff3acb0840,
    errstring=0x7fff3acb0838, mallocedp=0x7fff3acb084f,
    operate=0x7fa2ca2f6b30 <dl_open_worker>, args=0x7fff3acb07f0)
    at dl-error.c:178
#5 0x00007fa2ca2f73fa in _dl_open (file=0x7fa2c823b410 "libXcursor.so.1",
    mode=-2147483647, caller_dlopen=0x7fa2c7f213c2, nsid=-2, argc=2,
    argv=<value optimized out>, env=0x7fff3acb1720) at dl-open.c:555
#6 0x00007fa2c5c89f16 in dlopen_doit (a=0x7fff3acb0a10) at dlopen.c:67
#7 0x00007fa2ca2f2746 in _dl_catch_error (objname=0x1da32e0,
    errstring=0x1da32e8, mallocedp=0x1da32d8,
    operate=0x7fa2c5c89eb0 <dlopen_doit>, args=0x7fff3acb0a10)
    at dl-error.c:178
#8 0x00007fa2c5c8a52c in _dlerror_run (operate=0x7fa2c5c89eb0 <dlopen_doit>,
    args=0x7fff3acb0a10) at dlerror.c:164
#9 0x00007fa2c5c89fc1 in __dlopen (file=<value optimized out>,
    mode=<value optimized out>) at dlopen.c:88

The bad pointer seems to be supplied at frame #1, elf_dynamic_do_rela(), line 120 in file do-rel.h:
       elf_machine_rel (map, r, &symtab[ELFW(R_SYM) (r->r_info)],
          &map->l_versions[ndx],
          (void *) (l_addr + r->r_offset));

map->l_versions is NULL, and ndx is 6, so the function is passed an invalid pointer with an address of 6 * sizeof(map->l_versions). Since there is a null check in the function being called, one possible solution is that the fourth parameter could be
    map->l_versions ? &map->l_versions[ndx] : NULL
but I'm not familiar enough with this code to know if that is the right thing to do. I'm especially curious about whether it's valid in the first place for ndx to be nonzero if l_versions is NULL.

Even though the library to be dlopened is libXcursor, the crash apparently happens while processing the link_map of libsndfile. I've verified that there is only one libsndfile on my machine, and debsums indicates that all the files in the libsndfile1 are unaltered, so it doesn't seem to be due to corruption on my machine.

ProblemType: Crash
DistroRelease: Ubuntu 11.04
Package: gnome-settings-daemon 2.32.1-0ubuntu13.1
ProcVersionSignature: Ubuntu 2.6.38-8.42~ppa3-generic-tuxonice 2.6.38.2
Uname: Linux 2.6.38-8-generic-tuxonice x86_64
NonfreeKernelModules: nvidia
Architecture: amd64
CrashCounter: 1
Date: Sat Jun 4 20:49:57 2011
ExecutablePath: /usr/lib/gnome-settings-daemon/gnome-settings-daemon
ProcCmdline: /usr/lib/gnome-settings-daemon/gnome-settings-daemon --gconf-prefix=/apps/gdm/simple-greeter/settings-manager-plugins
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/false
 PATH=(custom, no user)
SegvAnalysis:
 Segfault happened at: 0x7fbaf2ab9937: mov 0x8(%r8),%edx
 PC (0x7fbaf2ab9937) ok
 source "0x8(%r8)" (0x00000068) not located in a known VMA region (needed readable region)!
 destination "%edx" ok
SegvReason: reading NULL VMA
Signal: 11
SourcePackage: gnome-settings-daemon
StacktraceTop:
 ?? () from /lib64/ld-linux-x86-64.so.2
 ?? () from /lib64/ld-linux-x86-64.so.2
 ?? () from /lib64/ld-linux-x86-64.so.2
 ?? () from /lib64/ld-linux-x86-64.so.2
 dlopen_doit (a=0x7fff6e91f090) at dlopen.c:67
Title: gnome-settings-daemon crashed with SIGSEGV in dlopen_doit()
UpgradeStatus: Upgraded to natty on 2011-06-04 (1 days ago)
UserGroups: