Dear Maintainer, I tried to collect some more information and might have found something.
The allocator aborts at the backtrace below. A valgrind run points to the same function txt_add_fragment. There is seems that in line 2121 the allocation takes place with 12 bytes total, then a memset is done with 12 bytes. But in line 2126 the memcpy is done with 24 bytes. This is because allocation is done with penum->TextBufferIndex == 3, but the memcpy uses penum->text.size == 6. (For the given input file.) The same pattern in lines 2134 to 2139. But I have no clue if the variables are the right ones, or contain wrong values. It might be related to this upstream bug, which touches the same lines: https://bugs.ghostscript.com/show_bug.cgi?id=701877 Kind regards, Bernhard https://sources.debian.org/src/ghostscript/9.52%7Edfsg-1/devices/vector/gdevtxtw.c/#L2121 https://git.ghostscript.com/?p=ghostpdl.git;a=blob;f=devices/vector/gdevtxtw.c;h=87f9355d8771e1fa546b4eb687ae4078ef2abdff;hb=HEAD#l2121 2121 penum->text_state->Widths = (float *)gs_malloc(tdev->memory->stable_memory, 2122 penum->TextBufferIndex, sizeof(float), "txtwrite alloc widths array"); 2123 if (!penum->text_state->Widths) 2124 return gs_note_error(gs_error_VMerror); 2125 memset(penum->text_state->Widths, 0x00, penum->TextBufferIndex * sizeof(float)); 2126 memcpy(penum->text_state->Widths, penum->Widths, penum->text.size * sizeof(float)); (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007fb706bae55b in __GI_abort () at abort.c:79 #2 0x00007fb706c06ff8 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fb706d13f3e "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007fb706c0e39a in malloc_printerr (str=str@entry=0x7fb706d16010 "malloc(): invalid size (unsorted)") at malloc.c:5339 #4 0x00007fb706c11304 in _int_malloc (av=av@entry=0x7fb706d45b80 <main_arena>, bytes=bytes@entry=62) at malloc.c:3736 #5 0x00007fb706c12a74 in __GI___libc_malloc (bytes=bytes@entry=62) at malloc.c:3058 #6 0x00007fb7070a3445 in gs_heap_alloc_bytes (mem=0x5600c40c5c40, size=14, cname=0x7fb7072389c8 "txtwrite alloc sorted text buffer") at ./base/gsmalloc.c:191 #7 0x00007fb706fe88e1 in txt_add_fragment (penum=0x5600c45abea8, tdev=<optimized out>) at ./devices/vector/gdevtxtw.c:2141 #8 textw_text_process (pte=0x5600c45abea8) at ./devices/vector/gdevtxtw.c:2241 #9 0x00007fb70717b8a0 in op_show_continue (i_ctx_p=0x5600c40f9778) at ./psi/zchar.c:690 #10 op_show_continue (i_ctx_p=0x5600c40f9778) at ./psi/zchar.c:685 #11 0x00007fb70715d739 in interp (perror_object=<optimized out>, pref=<optimized out>, pi_ctx_p=<optimized out>) at ./psi/interp.c:1300 #12 gs_call_interp (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590, pref=pref@entry=0x7ffff75a4350, user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x7ffff75a43cc, perror_object=<optimized out>) at ./psi/interp.c:520 #13 0x00007fb70715ec7a in gs_interpret (pi_ctx_p=pi_ctx_p@entry=0x5600c40c6590, pref=pref@entry=0x7ffff75a4350, user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x7ffff75a43cc, perror_object=<optimized out>, perror_object@entry=0x7ffff75a43d0) at ./psi/interp.c:477 #14 0x00007fb70715153e in gs_main_interpret (perror_object=0x7ffff75a43d0, pexit_code=0x7ffff75a43cc, user_errors=1, pref=0x7ffff75a4350, minst=<optimized out>) at ./psi/imain.c:791 #15 gs_main_run_string_end (minst=minst@entry=0x5600c40c64f0, user_errors=user_errors@entry=1, pexit_code=pexit_code@entry=0x7ffff75a43cc, perror_object=perror_object@entry=0x7ffff75a43d0) at ./psi/imain.c:791 #16 0x00007fb7071515d1 in gs_main_run_string_with_length (str=<optimized out>, length=<optimized out>, perror_object=0x7ffff75a43d0, pexit_code=0x7ffff75a43cc, user_errors=1, minst=0x5600c40c64f0) at ./psi/imain.c:735 #17 gs_main_run_string_with_length (minst=0x5600c40c64f0, str=0x5600c41c2720 "<6f75742e706466>.runfile", length=24, user_errors=1, pexit_code=0x7ffff75a43cc, perror_object=0x7ffff75a43d0) at ./psi/imain.c:721 #18 0x00007fb7071534ef in run_string (minst=minst@entry=0x5600c40c64f0, str=str@entry=0x5600c41c2720 "<6f75742e706466>.runfile", options=options@entry=3, user_errors=user_errors@entry=1, pexit_code=0x7ffff75a43cc, pexit_code@entry=0x0, perror_object=0x7ffff75a43d0, perror_object@entry=0x0) at ./psi/imainarg.c:1119 #19 0x00007fb7071537e6 in runarg (minst=minst@entry=0x5600c40c64f0, arg=arg@entry=0x7ffff75a4508 "out.pdf", post=post@entry=0x7fb70725cc5c ".runfile", options=options@entry=3, user_errors=1, pexit_code=pexit_code@entry=0x0, perror_object=0x0, pre=0x7fb70723aced "") at ./psi/imainarg.c:1088 #20 0x00007fb707153904 in argproc (arg=0x7ffff75a4508 "out.pdf", minst=0x5600c40c64f0) at ./psi/imainarg.c:1010 #21 argproc (minst=0x5600c40c64f0, arg=0x7ffff75a4508 "out.pdf") at ./psi/imainarg.c:995 #22 0x00007fb707155010 in gs_main_init_with_args01 (minst=minst@entry=0x5600c40c64f0, argc=7, argv=0x7ffff75a5038) at ./psi/imainarg.c:241 #23 0x00007fb7071552b9 in gs_main_init_with_args (minst=0x5600c40c64f0, argc=<optimized out>, argv=<optimized out>) at ./psi/imainarg.c:288 #24 0x00005600c38461bc in main (argc=7, argv=0x7ffff75a5038) at ./psi/dxmainc.c:86
# From submitter: Stack trace of thread 31898: #0 0x00007f7a61751671 __strlen_avx2 (libc.so.6 + 0x15e671) #1 0x00007f7a618032f9 _cups_strlcpy (libcups.so.2 + 0x4d2f9) #2 0x000055a058ca1a36 main (rastertopwg + 0x1a36) #3 0x00007f7a61619e0b __libc_start_main (libc.so.6 + 0x26e0b) #4 0x000055a058ca21aa _start (rastertopwg + 0x21aa) ########### # Unstable amd64 qemu VM 2020-03-20 apt update apt dist-upgrade apt install systemd-coredump gdb cups cups-dbgsym libcups2-dbgsym reboot # dpkg -l | grep cups ii cups 2.3.1-11 amd64 Common UNIX Printing System(tm) - PPD/driver support, web interface ii cups-browsed 1.27.2-1 amd64 OpenPrinting CUPS Filters - cups-browsed ii cups-client 2.3.1-11 amd64 Common UNIX Printing System(tm) - client programs (SysV) ii cups-common 2.3.1-11 all Common UNIX Printing System(tm) - common files ii cups-core-drivers 2.3.1-11 amd64 Common UNIX Printing System(tm) - driverless printing ii cups-daemon 2.3.1-11 amd64 Common UNIX Printing System(tm) - daemon ii cups-dbgsym 2.3.1-11 amd64 debug symbols for cups ii cups-filters 1.27.2-1 amd64 OpenPrinting CUPS Filters - Main Package ii cups-filters-core-drivers 1.27.2-1 amd64 OpenPrinting CUPS Filters - Driverless printing ii cups-ipp-utils 2.3.1-11 amd64 Common UNIX Printing System(tm) - IPP developer/admin utilities ii cups-ppdc 2.3.1-11 amd64 Common UNIX Printing System(tm) - PPD manipulation utilities ii cups-server-common 2.3.1-11 all Common UNIX Printing System(tm) - server common files ii libcups2:amd64 2.3.1-11 amd64 Common UNIX Printing System(tm) - Core library ii libcups2-dbgsym:amd64 2.3.1-11 amd64 debug symbols for libcups2 ii libcupsfilters1:amd64 1.27.2-1 amd64 OpenPrinting CUPS Filters - Shared library gdb -q set width 0 set pagination off file /usr/lib/cups/filter/rastertopwg b main run dele 1 generate-core-file /tmp/core kill y q gdb -q set width 0 set pagination off file /usr/lib/cups/filter/rastertopwg core /tmp/core disassemble _start b *0x00005555555561a4 disassemble __libc_start_main b *0x00007ffff7d8ee09 disassemble main b *0x0000555555555a31 disassemble _cups_strlcpy b *0x00007ffff7f782f4 disassemble __strlen_avx2 b *0x00007ffff7ec6671 info b 0x00007ffff7ec6671 in __strlen_avx2 at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 0x00007ffff7f782f4 in _cups_strlcpy at string.c:739 0x0000555555555a31 in main at rastertopwg.c:274 0x00007ffff7d8ee09 in __libc_start_main at ../csu/libc-start.c:308 0x00005555555561a4 <_start+36> 0x00007...671 in __strlen_avx2 at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65 0x00007...2f4 in _cups_strlcpy at string.c:739 0x00005...a31 in main at rastertopwg.c:274 0x00007...e09 in __libc_start_main at ../csu/libc-start.c:308 0x00005...1a4 <_start+36> https://sources.debian.org/src/cups/2.3.1-11/cups/string.c/#L739 https://sources.debian.org/src/cups/2.3.1-11/filter/rastertopwg.c/#L274