SIGABRT with "free(): invalid next size (normal)" in HPCupsFilter::cleanup

Bug #1904318 reported by Ian Campbell
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
HPLIP
Undecided
Unassigned

Bug Description

I have been seeing a crash when printing for some time. I have attached an example of a file which causes the crash.

dagon:/tmp# /usr/lib/cups/filter/pdftopdf 1 debian '' 1 '' </tmp/1605427739.pdf >print_step_1.pdf
<...see transcript.txt...>
dagon:/tmp# /usr/lib/cups/filter/gstoraster 1 debian '' 1 '' <print_step_1.pdf >print_step_2.raster
<...see transcript.txt...>
dagon:/tmp# /usr/lib/cups/filter/hpcups 1 debian '' 1 '' <print_step_2.raster >print_step_3.hpcups
STATE: -marker-supply-low-warning
PAGE: 1 1
PAGE: 2 1
free(): invalid next size (normal)
Aborted (core dumped)

dagon:/tmp# gdb /usr/lib/cups/filter/hpcups core
...
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007f5af802c537 in __GI_abort () at abort.c:79
#2 0x00007f5af80856c8 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f5af8193e31 "%s\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00007f5af808c9ba in malloc_printerr (str=str@entry=0x7f5af8196238 "free(): invalid next size (normal)") at malloc.c:5347
#4 0x00007f5af808de8c in _int_free (av=0x7f5af81c5b80 <main_arena>, p=0x561e3ecd1fc0, have_lock=<optimized out>) at malloc.c:4322
#5 0x0000561e3d1255c6 in HPCupsFilter::cleanup (this=0x561e3d1881c0 <filter>) at prnt/hpcups/HPCupsFilter.cpp:227
#6 0x0000561e3d127df1 in HPCupsFilter::closeFilter (this=0x561e3d1881c0 <filter>) at prnt/hpcups/HPCupsFilter.cpp:221
#7 HPCupsFilter::StartPrintJob (this=0x561e3d1881c0 <filter>, argc=<optimized out>, argv=0x7fffb82c6f18) at prnt/hpcups/HPCupsFilter.cpp:604
#8 0x00007f5af802dcca in __libc_start_main (main=0x561e3d124e10 <main(int, char**)>, argc=6, argv=0x7fffb82c6f18, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffb82c6f08) at ../csu/libc-start.c:308
#9 0x0000561e3d124efa in _start () at prnt/hpcups/HPCupsFilter.cpp:919

The tail of an strace (from a different run to the above gdb session) is:

...
unlink("/root/hp_debian_cups_SwapedPagesXXXXXX") = -1 ENOENT (No such file or directory)
write(1, "\33E", 2) = 2
write(1, "\33%-12345X", 9) = 9
writev(2, [{iov_base="free(): invalid next size (norma"..., iov_len=34}, {iov_base="\n", iov_len=1}], 2) = 35
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f9a873ad000
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
rt_sigprocmask(SIG_BLOCK, ~[RTMIN RT_1], [], 8) = 0
getpid() = 2424977
gettid() = 2424977
tgkill(2424977, 2424977, SIGABRT) = 0
rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
--- SIGABRT {si_signo=SIGABRT, si_code=SI_TKILL, si_pid=2424977, si_uid=0} ---
+++ killed by SIGABRT (core dumped) +++

I am running Debian's package version 3.20.9+dfsg0-4

Revision history for this message
Ian Campbell (ijc) wrote :
Revision history for this message
Ian Campbell (ijc) wrote :
Revision history for this message
Ian Campbell (ijc) wrote :

Perhaps also useful:

dagon:/tmp# valgrind /usr/lib/cups/filter/hpcups 1 debian '' 1 '' <print_step_2.raster >print_step_3.hpcups
==2475946== Memcheck, a memory error detector
==2475946== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2475946== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2475946== Command: /usr/lib/cups/filter/hpcups 1 debian 1
==2475946==
STATE: -marker-supply-low-warning
PAGE: 1 1
PAGE: 2 1
==2475946== Syscall param read(buf) points to unaddressable byte(s)
==2475946== at 0x4A1D04E: read (read.c:26)
==2475946== by 0x4948F4C: UnknownInlinedFun (unistd.h:44)
==2475946== by 0x4948F4C: cups_read_fd (raster-stubs.c:323)
==2475946== by 0x494827F: cups_raster_io (raster-stream.c:1372)
==2475946== by 0x494827F: _cupsRasterReadPixels (raster-stream.c:782)
==2475946== by 0x1126E7: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:745)
==2475946== by 0x112DBE: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584)
==2475946== by 0x4C41CC9: (below main) (libc-start.c:308)
==2475946== Address 0x5adcf44 is 0 bytes after a block of size 11,140 alloc'd
==2475946== at 0x483950F: operator new[](unsigned long) (vg_replace_malloc.c:431)
==2475946== by 0x111BE8: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:500)
==2475946== by 0x112792: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655)
==2475946== by 0x112DBE: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584)
==2475946== by 0x4C41CC9: (below main) (libc-start.c:308)
==2475946==
==2475946==
==2475946== HEAP SUMMARY:
==2475946== in use at exit: 18,040 bytes in 5 blocks
==2475946== total heap usage: 2,179 allocs, 2,174 frees, 939,079 bytes allocated
==2475946==
==2475946== LEAK SUMMARY:
==2475946== definitely lost: 11,108 bytes in 2 blocks
==2475946== indirectly lost: 0 bytes in 0 blocks
==2475946== possibly lost: 0 bytes in 0 blocks
==2475946== still reachable: 6,932 bytes in 3 blocks
==2475946== suppressed: 0 bytes in 0 blocks
==2475946== Rerun with --leak-check=full to see details of leaked memory
==2475946==
==2475946== For lists of detected and suppressed errors, rerun with: -s
==2475946== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

Revision history for this message
Ian Campbell (ijc) wrote :

I forgot to say -- printing does seem to work, i.e. the right things come out of the printer, but I get a "printing failed" message from CUPS every time.

I also added this as a Debian bug for tracking https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=974828. This also looks a little similar to https://bugs.launchpad.net/hplip/+bug/1901209 which is also a Debian bug, but I think not close enough to be considered the same.

Revision history for this message
Didier Raboud (odyx) wrote :

Over on the Debian bug #974828, Bernhard Übelacker proposed the following patch. What are your thoughts, dear upstream?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.