Dear Maintainer,
I tried to collect some more information and might have found something.
The allocator aborts at the backtrace below.
A valgrind run points to the same function txt_add_fragment.
There is seems that in line 2121 the allocation takes place with
12 bytes total, then a memset is done with 12 bytes.
But in line 2126 the memcpy is done with 24 bytes.
This is because allocation is done with
penum->TextBufferIndex == 3, but the memcpy uses
penum->text.size == 6. (For the given input file.)
The same pattern in lines 2134 to 2139.
But I have no clue if the variables are the
right ones, or contain wrong values.
It might be related to this upstream bug,
which touches the same lines:
https://bugs.ghostscript.com/show_bug.cgi?id=701877
Kind regards,
Bernhard
https://sources.debian.org/src/ghostscript/9.52%7Edfsg-1/devices/vector/gdevtxtw.c/#L2121
https://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=devices/vector/gdevtxtw.c;h=87f9355d8771e1fa546b4eb687ae4078ef2abdff;hb=HEAD#l2121
2121 penum->text_state->Widths = (float
*)gs_malloc(tdev->memory->stable_memory,
2122 penum->TextBufferIndex, sizeof(float), "txtwrite alloc widths
array");
2123 if (!penum->text_state->Widths)
2124 return gs_note_error(gs_error_VMerror);
2125 memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex *
sizeof(float));
2126 memcpy(penum->text_state->Widths, penum->Widths, penum->text.size *
sizeof(float));
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007fb706bae55b in __GI_abort () at abort.c:79
#2 0x00007fb706c06ff8 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x7fb706d13f3e "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3 0x00007fb706c0e39a in malloc_printerr (str=str@entry=0x7fb706d16010
"malloc(): invalid size (unsorted)") at malloc.c:5339
#4 0x00007fb706c11304 in _int_malloc (av=av@entry=0x7fb706d45b80 <main_arena>,
bytes=bytes@entry=62) at malloc.c:3736
#5 0x00007fb706c12a74 in __GI___libc_malloc (bytes=bytes@entry=62) at
malloc.c:3058
#6 0x00007fb7070a3445 in gs_heap_alloc_bytes (mem=0x5600c40c5c40, size=14,
cname=0x7fb7072389c8 "txtwrite alloc sorted text buffer") at
./base/gsmalloc.c:191
#7 0x00007fb706fe88e1 in txt_add_fragment (penum=0x5600c45abea8,
tdev=<optimized out>) at ./devices/vector/gdevtxtw.c:2141
#8 textw_text_process (pte=0x5600c45abea8) at ./devices/vector/gdevtxtw.c:2241
#9 0x00007fb70717b8a0 in op_show_continue (i_ctx_p=0x5600c40f9778) at
./psi/zchar.c:690
#10 op_show_continue (i_ctx_p=0x5600c40f9778) at ./psi/zchar.c:685
#11 0x00007fb70715d739 in interp (perror_object=<optimized out>,
pref=<optimized out>, pi_ctx_p=<optimized out>) at ./psi/interp.c:1300
#12 gs_call_interp (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590,
pref=pref@entry=0x7ffff75a4350, user_errors=user_errors@entry=1,
pexit_code=pexit_code@entry=0x7ffff75a43cc, perror_object=<optimized out>) at
./psi/interp.c:520
#13 0x00007fb70715ec7a in gs_interpret (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590,
pref=pref@entry=0x7ffff75a4350, user_errors=user_errors@entry=1,
pexit_code=pexit_code@entry=0x7ffff75a43cc, perror_object=<optimized out>,
perror_object@entry=0x7ffff75a43d0) at ./psi/interp.c:477
#14 0x00007fb70715153e in gs_main_interpret (perror_object=0x7ffff75a43d0,
pexit_code=0x7ffff75a43cc, user_errors=1, pref=0x7ffff75a4350, minst=<optimized
out>) at ./psi/imain.c:791
#15 gs_main_run_string_end (minst=minst@entry=0x5600c40c64f0,
user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x7ffff75a43cc,
perror_object=perror_object@entry=0x7ffff75a43d0) at ./psi/imain.c:791
#16 0x00007fb7071515d1 in gs_main_run_string_with_length (str=<optimized out>,
length=<optimized out>, perror_object=0x7ffff75a43d0,
pexit_code=0x7ffff75a43cc, user_errors=1, minst=0x5600c40c64f0) at
./psi/imain.c:735
#17 gs_main_run_string_with_length (minst=0x5600c40c64f0, str=0x5600c41c2720
"<6f75742e706466>.runfile", length=24, user_errors=1,
pexit_code=0x7ffff75a43cc, perror_object=0x7ffff75a43d0) at ./psi/imain.c:721
#18 0x00007fb7071534ef in run_string (minst=minst@entry=0x5600c40c64f0,
str=str@entry=0x5600c41c2720 "<6f75742e706466>.runfile",
options=options@entry=3, user_errors=user_errors@entry=1,
pexit_code=0x7ffff75a43cc, pexit_code@entry=0x0, perror_object=0x7ffff75a43d0,
perror_object@entry=0x0) at ./psi/imainarg.c:1119
#19 0x00007fb7071537e6 in runarg (minst=minst@entry=0x5600c40c64f0,
arg=arg@entry=0x7ffff75a4508 "out.pdf", post=post@entry=0x7fb70725cc5c
".runfile", options=options@entry=3, user_errors=1,
pexit_code=pexit_code@entry=0x0, perror_object=0x0, pre=0x7fb70723aced "") at
./psi/imainarg.c:1088
#20 0x00007fb707153904 in argproc (arg=0x7ffff75a4508 "out.pdf",
minst=0x5600c40c64f0) at ./psi/imainarg.c:1010
#21 argproc (minst=0x5600c40c64f0, arg=0x7ffff75a4508 "out.pdf") at
./psi/imainarg.c:995
#22 0x00007fb707155010 in gs_main_init_with_args01
(minst=minst@entry=0x5600c40c64f0, argc=7, argv=0x7ffff75a5038) at
./psi/imainarg.c:241
#23 0x00007fb7071552b9 in gs_main_init_with_args (minst=0x5600c40c64f0,
argc=<optimized out>, argv=<optimized out>) at ./psi/imainarg.c:288
#24 0x00005600c38461bc in main (argc=7, argv=0x7ffff75a5038) at
./psi/dxmainc.c:86
# From submitter:
Stack trace of thread 31898:
#0 0x00007f7a61751671
__strlen_avx2 (libc.so.6 + 0x15e671)
#1 0x00007f7a618032f9
_cups_strlcpy (libcups.so.2 + 0x4d2f9)
#2 0x000055a058ca1a36 main
(rastertopwg + 0x1a36)
#3 0x00007f7a61619e0b
__libc_start_main (libc.so.6 + 0x26e0b)
#4 0x000055a058ca21aa _start
(rastertopwg + 0x21aa)
###########
# Unstable amd64 qemu VM 2020-03-20
apt update
apt dist-upgrade
apt install systemd-coredump gdb cups cups-dbgsym libcups2-dbgsym
reboot
# dpkg -l | grep cups
ii cups 2.3.1-11 amd64
Common UNIX Printing System(tm) - PPD/driver support, web interface
ii cups-browsed 1.27.2-1 amd64
OpenPrinting CUPS Filters - cups-browsed
ii cups-client 2.3.1-11 amd64
Common UNIX Printing System(tm) - client programs (SysV)
ii cups-common 2.3.1-11 all
Common UNIX Printing System(tm) - common files
ii cups-core-drivers 2.3.1-11 amd64
Common UNIX Printing System(tm) - driverless printing
ii cups-daemon 2.3.1-11 amd64
Common UNIX Printing System(tm) - daemon
ii cups-dbgsym 2.3.1-11 amd64
debug symbols for cups
ii cups-filters 1.27.2-1 amd64
OpenPrinting CUPS Filters - Main Package
ii cups-filters-core-drivers 1.27.2-1 amd64
OpenPrinting CUPS Filters - Driverless printing
ii cups-ipp-utils 2.3.1-11 amd64
Common UNIX Printing System(tm) - IPP developer/admin utilities
ii cups-ppdc 2.3.1-11 amd64
Common UNIX Printing System(tm) - PPD manipulation utilities
ii cups-server-common 2.3.1-11 all
Common UNIX Printing System(tm) - server common files
ii libcups2:amd64 2.3.1-11 amd64
Common UNIX Printing System(tm) - Core library
ii libcups2-dbgsym:amd64 2.3.1-11 amd64
debug symbols for libcups2
ii libcupsfilters1:amd64 1.27.2-1 amd64
OpenPrinting CUPS Filters - Shared library
gdb -q
set width 0
set pagination off
file /usr/lib/cups/filter/rastertopwg
b main
run
dele 1
generate-core-file /tmp/core
kill
y
q
gdb -q
set width 0
set pagination off
file /usr/lib/cups/filter/rastertopwg
core /tmp/core
disassemble _start
b *0x00005555555561a4
disassemble __libc_start_main
b *0x00007ffff7d8ee09
disassemble main
b *0x0000555555555a31
disassemble _cups_strlcpy
b *0x00007ffff7f782f4
disassemble __strlen_avx2
b *0x00007ffff7ec6671
info b
0x00007ffff7ec6671 in __strlen_avx2 at
../sysdeps/x86_64/multiarch/strlen-avx2.S:65
0x00007ffff7f782f4 in _cups_strlcpy at string.c:739
0x0000555555555a31 in main at rastertopwg.c:274
0x00007ffff7d8ee09 in __libc_start_main at ../csu/libc-start.c:308
0x00005555555561a4 <_start+36>
0x00007...671 in __strlen_avx2 at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
0x00007...2f4 in _cups_strlcpy at string.c:739
0x00005...a31 in main at rastertopwg.c:274
0x00007...e09 in __libc_start_main at ../csu/libc-start.c:308
0x00005...1a4 <_start+36>
https://sources.debian.org/src/cups/2.3.1-11/cups/string.c/#L739
https://sources.debian.org/src/cups/2.3.1-11/filter/rastertopwg.c/#L274
