Dear Maintainer, I could reproduce this issue too. Attached is a valgrind run showing one invalid write and a gdb session showing the issue.
It looks like mallocs management data, which resides in the 8 bytes before a returned pointer, gets overwritten and therefore the free fails because "mchunk_size" is then 0. Kind regards, Bernhard Old value = 6057 New value = 0 __memcpy_neon () at ../sysdeps/arm/armv7/multiarch/memcpy_impl.S:295 warning: Source file is more recent than executable. 295 tst count, #4 1: compressBuf = <error: current stack frame does not contain a variable named `this'> 2: /x *(int*)(0x7f5f43e8-4) = 0x0 (gdb) bt #0 __memcpy_neon () at ../sysdeps/arm/armv7/multiarch/memcpy_impl.S:295 #1 0x7f55b8d2 in memcpy (__len=379, __src=<optimized out>, __dest=<optimized out>) at /usr/include/arm-linux-gnueabihf/bits/string_fortified.h:34 #2 Mode9::Process (this=0x7f5e0e70, input=0x7f5e0e84) at prnt/hpcups/Mode9.cpp:405 #3 0x7f562de0 in Pipeline::Process (raster=<optimized out>, this=0x7f5d7340) at prnt/hpcups/Pipeline.cpp:79 #4 Pipeline::Execute (this=0x7f5d7340, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:79 #5 0x7f562e02 in Pipeline::Execute (this=0x7f5e6b88, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:83 #6 0x7f562e02 in Pipeline::Execute (this=0x7f5e6b70, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:83 #7 0x7f55a20a in HPCupsFilter::processRasterData (this=0x7f5b87c4 <filter>, cups_raster=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:766 #8 0x7f55a6ee in HPCupsFilter::StartPrintJob (this=0x7f5b87c4 <filter>, argc=6, argv=0xbefff7b4) at prnt/hpcups/HPCupsFilter.cpp:584 #9 0xb6bd9a20 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:308 #10 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 https://sources.debian.org/src/hplip/3.20.5+dfsg0-3/prnt/hpcups/Mode9.cpp/#L405
# Bullseye/testing chroot 2020-10-23 running on Android/LineageOS kernel apt update apt dist-upgrade apt install mc htop psmisc net-tools strace sshfs wget gdb gdbserver cups printer-driver-hpcups printer-driver-hpcups-dbgsym apt build-dep libc6 root@localhost:~# lscpu Architecture: armv7l Byte Order: Little Endian CPU(s): 4 On-line CPU(s) list: 0 Off-line CPU(s) list: 1-3 Thread(s) per core: 1 Core(s) per socket: 1 Socket(s): 1 Vendor ID: Qualcomm Model: 0 Model name: Krait Stepping: 0x1 CPU max MHz: 1728,0000 CPU min MHz: 384,0000 BogoMIPS: 13.50 Flags: swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 idiva idivt root@localhost:~# uname -a Linux localhost 3.4.113-g2fff5b1955c0 #1 SMP PREEMPT Sun Mar 8 06:23:52 CST 2020 armv7l GNU/Linux groupadd -g 3001 aid_net_bt_admin groupadd -g 3002 aid_net_bt groupadd -g 3003 aid_inet groupadd -g 3004 aid_net_raw groupadd -g 3005 aid_net_admin groupadd -g 3006 aid_net_bw_stats groupadd -g 3007 aid_net_bw_acct groupadd -g 3008 aid_net_bt_stack usermod -G 3003,3004 -a root usermod -G 3003 -a benutzer usermod -g 3003 -G 3003,3004 -a _apt root@localhost:~# dpkg -l | grep driver-hpcups ii printer-driver-hpcups 3.20.5+dfsg0-3+b1 armhf HP Linux Printing and Imaging - CUPS Raster driver (hpcups) ii printer-driver-hpcups-dbgsym 3.20.5+dfsg0-3+b1 armhf debug symbols for printer-driver-hpcups mkdir /home/benutzer/source/libc6/orig -p cd /home/benutzer/source/libc6/orig apt source libc6 cd wget https://sources.debian.org/data/main/h/hplip/3.20.9+dfsg0-3/ppd/hpcups/hp-officejet_pro_1150c.ppd gzip hp-officejet_pro_1150c.ppd export PPD=/home/benutzer/hp-officejet_pro_1150c.ppd.gz /usr/lib/cups/filter/pdftopdf 1 debian '' 1 '' </usr/share/cups/data/default-testpage.pdf >print_step_1.pdf /usr/lib/cups/filter/gstoraster 1 debian '' 1 '' <print_step_1.pdf >print_step_2.raster /usr/lib/cups/filter/hpcups 1 debian '' 1 '' <print_step_2.raster >print_step_3.hpcups /usr/bin/gdbserver localhost:6666 /usr/lib/cups/filter/hpcups 1 debian '' 1 '' <print_step_2.raster >print_step_3.hpcups gdb -q set width 0 set pagination off target remote localhost:6666 cont benutzer@localhost:~$ /usr/bin/gdbserver localhost:6666 /usr/lib/cups/filter/hpcups 1 debian x 1 x <print_step_2.raster >print_step_3.hpcups Process /usr/lib/cups/filter/hpcups created; pid = 9723 Listening on port 6666 Remote debugging from host ::1, port 42055 STATE: -marker-supply-low-warning PAGE: 1 1 free(): invalid pointer benutzer@localhost:~$ gdb -q (gdb) set width 0 (gdb) set pagination off (gdb) target remote localhost:6666 Remote debugging using localhost:6666 Reading /usr/lib/cups/filter/hpcups from remote target... warning: File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead. Reading /usr/lib/cups/filter/hpcups from remote target... Reading symbols from target:/usr/lib/cups/filter/hpcups... Reading /usr/lib/cups/filter/25b6b40d5874920ba6c57ce85bb60b35661f71.debug from remote target... Reading /usr/lib/cups/filter/.debug/25b6b40d5874920ba6c57ce85bb60b35661f71.debug from remote target... Reading /usr/lib/debug//usr/lib/cups/filter/25b6b40d5874920ba6c57ce85bb60b35661f71.debug from remote target... Reading /usr/lib/debug/usr/lib/cups/filter//25b6b40d5874920ba6c57ce85bb60b35661f71.debug from remote target... Reading target:/usr/lib/debug/usr/lib/cups/filter//25b6b40d5874920ba6c57ce85bb60b35661f71.debug from remote target... (No debugging symbols found in target:/usr/lib/cups/filter/hpcups) Reading /lib/ld-linux-armhf.so.3 from remote target... Reading /lib/ld-linux-armhf.so.3 from remote target... Reading symbols from target:/lib/ld-linux-armhf.so.3... Reading symbols from /usr/lib/debug/.build-id/57/fd3af960eb7a2864df305a64a665e5a8c25750.debug... 0xb6fd5a80 in _start () from target:/lib/ld-linux-armhf.so.3 (gdb) cont Continuing. Reading /lib/arm-linux-gnueabihf/libjpeg.so.62 from remote target... ... Reading target:/usr/lib/debug/lib/arm-linux-gnueabihf//5673b0f41b07865f82a15c45bfb7e387b9a226.debug from remote target... Program received signal SIGABRT, Aborted. __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 47 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 #1 0xb6be8dd0 in __libc_signal_restore_set (set=0xbefff314) at ../sysdeps/unix/sysv/linux/internal-signals.h:86 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xb6bd97a2 in __GI_abort () at abort.c:79 #4 0xb6c11c56 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155 #5 0xb6c16c32 in malloc_printerr (str=<optimized out>) at malloc.c:5347 #6 0xb6c17b14 in _int_free (av=<optimized out>, p=0x7f5f43e0, have_lock=0) at malloc.c:4173 #7 0x7f55b12c in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) generate-core-file /tmp/core-1 warning: target file /proc/9723/cmdline contained unexpected null characters Saved corefile /tmp/core-1 benutzer@localhost:~$ gdb -q /usr/lib/cups/filter/hpcups --core /tmp/core-1 Reading symbols from /usr/lib/cups/filter/hpcups... Reading symbols from /usr/lib/debug/.build-id/20/25b6b40d5874920ba6c57ce85bb60b35661f71.debug... [New LWP 9723] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/arm-linux-gnueabihf/libthread_db.so.1". Core was generated by `/usr/lib/cups/filter/hpcups'. Program terminated with signal SIGABRT, Aborted. #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 47 ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S: Datei oder Verzeichnis nicht gefunden. (gdb) bt #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 #1 0xb6be8dd0 in __libc_signal_restore_set (set=0xbefff314) at ../sysdeps/unix/sysv/linux/internal-signals.h:86 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xb6bd97a2 in __GI_abort () at abort.c:79 #4 0xb6c11c56 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155 #5 0xb6c16c32 in malloc_printerr (str=<optimized out>) at malloc.c:5347 #6 0xb6c17b14 in _int_free (av=<optimized out>, p=0x7f5f43e0, have_lock=0) at malloc.c:4173 #7 0x7f55b12c in Compressor::~Compressor (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Compressor.cpp:52 #8 0x7f55b6a8 in Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:51 #9 Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:52 #10 0x7f56289e in Job::~Job (this=0x7f5b87c8 <filter+4>, __in_chrg=<optimized out>) at prnt/hpcups/Job.cpp:137 #11 0x7f55a946 in HPCupsFilter::~HPCupsFilter (this=0x7f5b87c4 <filter>, __in_chrg=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:213 #12 0xb6beaa70 in __run_exit_handlers (status=0, listp=0xb6cba4fc <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108 #13 0xb6beab32 in __GI_exit (status=<optimized out>) at exit.c:139 #14 0xb6bd9a24 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:342 #15 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 Backtrace stopped: previous frame identical to this frame (corrupt stack?) https://sources.debian.org/src/hplip/3.20.5+dfsg0-3/prnt/hpcups/Compressor.cpp/#L52 ################ benutzer@localhost:~$ valgrind --log-file=valgrind.log /usr/lib/cups/filter/hpcups 1 debian x 1 x <print_step_2.raster >print_step_3.hpcups STATE: -marker-supply-low-warning PAGE: 1 1 benutzer@localhost:~$ cat valgrind.log ==13708== Memcheck, a memory error detector ==13708== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==13708== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info ==13708== Command: /usr/lib/cups/filter/hpcups 1 debian x 1 x ==13708== Parent PID: 9361 ==13708== ==13708== Conditional jump or move depends on uninitialised value(s) ==13708== at 0x4B982A4: tolower (ctype.c:46) ==13708== by 0x4849FAF: strcasestr (vg_replace_strmem.c:1838) ==13708== by 0x11C8DF: IsChromeOs (utils.c:42) ==13708== by 0x10CA13: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:461) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Use of uninitialised value of size 4 ==13708== at 0x4B982B6: tolower (ctype.c:46) ==13708== by 0x4849FAF: strcasestr (vg_replace_strmem.c:1838) ==13708== by 0x11C8DF: IsChromeOs (utils.c:42) ==13708== by 0x10CA13: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:461) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x117556: Backward16PixelsNonWhite (Halftoner.h:106) ==13708== by 0x117556: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:734) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad162 is 6 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x10EA0C: Mode9::Process(RASTERDATA*) (Mode9.cpp:332) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55b6d63 is 0 bytes after a block of size 379 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116D7F: Halftoner::Halftoner(PrintMode_s*, unsigned int, int*, int, bool) (Halftoner.cpp:184) ==13708== by 0x1110D5: Pcl3::Configure(Pipeline**) (Pcl3.cpp:92) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x10EAEE: Mode9::Process(RASTERDATA*) (Mode9.cpp:215) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55b9019 is 0 bytes after a block of size 3,025 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x10E103: Compressor::Compressor(unsigned int, bool) (Compressor.cpp:44) ==13708== by 0x10EBE1: Mode9::Mode9(unsigned int, bool) (Mode9.cpp:34) ==13708== by 0x1110FD: Pcl3::Configure(Pipeline**) (Pcl3.cpp:95) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid write of size 1 ==13708== at 0x48464A8: memcpy (vg_replace_strmem.c:1034) ==13708== by 0x10E8D1: UnknownInlinedFun (string_fortified.h:34) ==13708== by 0x10E8D1: Mode9::Process(RASTERDATA*) (Mode9.cpp:405) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55b9019 is 0 bytes after a block of size 3,025 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x10E103: Compressor::Compressor(unsigned int, bool) (Compressor.cpp:44) ==13708== by 0x10EBE1: Mode9::Mode9(unsigned int, bool) (Mode9.cpp:34) ==13708== by 0x1110FD: Pcl3::Configure(Pipeline**) (Pcl3.cpp:95) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x11764B: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:672) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad15c is 0 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x117675: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:674) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad15d is 1 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x11769F: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:676) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad15e is 2 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x1176C9: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:678) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad15f is 3 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x1176F3: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:680) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad160 is 4 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x11771D: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:682) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad161 is 5 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== Invalid read of size 1 ==13708== at 0x11709C: Halftoner::FORWARD_FED(short, unsigned int) (Halftoner.cpp:800) ==13708== by 0x117749: Halftoner::HTEDiffOpen(Halftoner::THTDitherParms*, unsigned short) (Halftoner.cpp:684) ==13708== by 0x117CE7: Halftoner::Process(RASTERDATA*) (Halftoner.cpp:548) ==13708== by 0x115DDF: Process (Pipeline.cpp:72) ==13708== by 0x115DDF: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:79) ==13708== by 0x115E01: Pipeline::Execute(RASTERDATA*) (Pipeline.cpp:83) ==13708== by 0x10D209: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:766) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== Address 0x55ad162 is 6 bytes after a block of size 12,100 alloc'd ==13708== at 0x48416F4: operator new[](unsigned int) (vg_replace_malloc.c:425) ==13708== by 0x116091: ColorMatcher::ColorMatcher(ColorMap_s, unsigned int, unsigned int) (ColorMatcher.cpp:63) ==13708== by 0x11109B: Pcl3::Configure(Pipeline**) (Pcl3.cpp:90) ==13708== by 0x115BF1: Job::Configure() (Job.cpp:248) ==13708== by 0x115C87: Job::Init(SystemServices*, JobAttributes_s*, Encapsulator*) (Job.cpp:63) ==13708== by 0x10CA79: HPCupsFilter::startPage(cups_page_header2_s*) (HPCupsFilter.cpp:481) ==13708== by 0x10D32B: HPCupsFilter::processRasterData(_cups_raster_s*) (HPCupsFilter.cpp:655) ==13708== by 0x10D6ED: HPCupsFilter::StartPrintJob(int, char**) (HPCupsFilter.cpp:584) ==13708== by 0x4B8DA1F: (below main) (libc-start.c:308) ==13708== ==13708== ==13708== HEAP SUMMARY: ==13708== in use at exit: 6,752 bytes in 3 blocks ==13708== total heap usage: 1,891 allocs, 1,888 frees, 440,929 bytes allocated ==13708== ==13708== LEAK SUMMARY: ==13708== definitely lost: 0 bytes in 0 blocks ==13708== indirectly lost: 0 bytes in 0 blocks ==13708== possibly lost: 0 bytes in 0 blocks ==13708== still reachable: 6,752 bytes in 3 blocks ==13708== suppressed: 0 bytes in 0 blocks ==13708== Rerun with --leak-check=full to see details of leaked memory ==13708== ==13708== Use --track-origins=yes to see where uninitialised values come from ==13708== For lists of detected and suppressed errors, rerun with: -s ==13708== ERROR SUMMARY: 32062 errors from 13 contexts (suppressed: 0 from 0) ################ benutzer@localhost:~$ /usr/bin/gdbserver localhost:6666 /usr/lib/cups/filter/hpcups 1 debian x 1 x <print_step_2.raster >print_step_3.hpcups Process /usr/lib/cups/filter/hpcups created; pid = 13734 Listening on port 6666 gdb -q set width 0 set pagination off directory /home/benutzer/source/libc6/orig/glibc-2.31/malloc target remote localhost:6666 b Compressor::Compressor cont display compressBuf print &compressBuf set can-use-hw-watchpoints false watch *0x7f5e0e98 cont bt disa 2 print (mchunkptr)(0x7f5f43e8-8) print *(mchunkptr)(0x7f5f43e8-8) print ((mchunkptr)(0x7f5f43e8-8))->mchunk_size print &(((mchunkptr)(0x7f5f43e8-8))->mchunk_size) display/x *(int*)(0x7f5f43e8-4) b free if $r0==0x7f5f43e8 b Mode9.cpp:405 ignore 4 7 cont watch *(0x7f5f43e8-4) cont disa 5 disa 4 cont bt finish bt benutzer@localhost:~$ gdb -q (gdb) set width 0 (gdb) set pagination off (gdb) directory /home/benutzer/source/libc6/orig/glibc-2.31/malloc Source directories searched: /home/benutzer/source/libc6/orig/glibc-2.31/malloc:$cdir:$cwdb C (gdb) target remote localhost:6666 r cont display compressBuf print &cRemote debugging using localhost:6666o mpressBuf set can-use-hw-watchpoints false watch *0x7f5e0e98 cont bt disa 2 print (mchunkptr)(0x7f5f43e8-8) print *(mchunkptReading /usr/lib/cups/filter/hpcups from remote target...r warning: )File transfers from remote targets can be slow. Use "set sysroot" to access files locally instead.( 0x7f5f43e8-8) print ((mchunkptr)(0x7f5f43e8-8))->mchunk_size print &(((mchunkptr)(0x7f5f43e8-8))->mchunk_size) display/x *(int*)(0x7f5f43e8-4) b free if $r0==0x7f5f43e8 b Mode9.cpp:405 Reading /usr/lib/cups/filter/hpcups from remote target... Reading symbols from target:/usr/lib/cups/filter/hpcups... Reading symbols from /usr/lib/debug/.build-id/20/25b6b40d5874920ba6c57ce85bb60b35661f71.debug... Reading /lib/ld-linux-armhf.so.3 from remote target... Reading /lib/ld-linux-armhf.so.3 from remote target... Reading symbols from target:/lib/ld-linux-armhf.so.3... Reading symbols from /usr/lib/debug/.build-id/57/fd3af960eb7a2864df305a64a665e5a8c25750.debug... 0xb6fd5a80 in _start () from target:/lib/ld-linux-armhf.so.3 (gdb) b Compressor::Compressor Breakpoint 1 at 0x7f55b0c4: file prnt/hpcups/Compressor.cpp, line 32. (gdb) cont Continuing. Reading /lib/arm-linux-gnueabihf/libjpeg.so.62 from remote target... ... Reading target:/usr/lib/debug/lib/arm-linux-gnueabihf//5673b0f41b07865f82a15c45bfb7e387b9a226.debug from remote target... Breakpoint 1, Compressor::Compressor (this=0x7f5e0e70, RasterSize=3025, useseed=true) at prnt/hpcups/Compressor.cpp:32 32 prnt/hpcups/Compressor.cpp: Datei oder Verzeichnis nicht gefunden. (gdb) display compressBuf 1: compressBuf = warning: can't find linker symbol for virtual table for `Compressor' value (BYTE *) 0x0 (gdb) print &compressBuf warning: can't find linker symbol for virtual table for `Compressor' value $1 = (BYTE **) 0x7f5e0e98 (gdb) set can-use-hw-watchpoints false (gdb) watch *0x7f5e0e98 Watchpoint 2: *0x7f5e0e98 (gdb) cont Continuing. Watchpoint 2: *0x7f5e0e98 Old value = 0 New value = 2136949736 Mode9::Mode9 (this=0x7f5e0e70, RasterSize=3025, bPackedBits=<optimized out>) at prnt/hpcups/Mode9.cpp:44 44 prnt/hpcups/Mode9.cpp: Datei oder Verzeichnis nicht gefunden. 1: compressBuf = (BYTE *) 0x7f5f43e8 "" (gdb) bt #0 Mode9::Mode9 (this=0x7f5e0e70, RasterSize=3025, bPackedBits=<optimized out>) at prnt/hpcups/Mode9.cpp:44 #1 0x7f55e0fe in Pcl3::Configure (this=<optimized out>, pipeline=0x7f5b8ca4 <filter+1248>) at prnt/hpcups/Pcl3.cpp:95 #2 0x7f562bf2 in Job::Configure (this=this@entry=0x7f5b87c8 <filter+4>) at prnt/hpcups/Job.cpp:248 #3 0x7f562c88 in Job::Init (this=0x7f5b87c8 <filter+4>, pSystemServices=0x7f5bb238, job_attrs=<optimized out>, encap_intf=<optimized out>) at prnt/hpcups/Job.cpp:63 #4 0x7f559a7a in HPCupsFilter::startPage (this=0x7f5b87c4 <filter>, cups_header=0xbeffead0) at prnt/hpcups/HPCupsFilter.cpp:481 #5 0x7f55a32c in HPCupsFilter::processRasterData (this=0x7f5b87c4 <filter>, cups_raster=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:655 #6 0x7f55a6ee in HPCupsFilter::StartPrintJob (this=0x7f5b87c4 <filter>, argc=6, argv=0xbefff7b4) at prnt/hpcups/HPCupsFilter.cpp:584 #7 0xb6bd9a20 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:308 #8 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 Backtrace stopped: previous frame identical to this frame (corrupt stack?) --> Here the memory 0x7f5f43e8 gets allocated (gdb) disa 2 (gdb) print (mchunkptr)(0x7f5f43e8-8) $2 = (mchunkptr) 0x7f5f43e0 (gdb) print *(mchunkptr)(0x7f5f43e8-8) $3 = {mchunk_prev_size = 0, mchunk_size = 6057, fd = 0x0, bk = 0x0, fd_nextsize = 0x0, bk_nextsize = 0x0} (gdb) print ((mchunkptr)(0x7f5f43e8-8))->mchunk_size $4 = 6057 (gdb) print &(((mchunkptr)(0x7f5f43e8-8))->mchunk_size) $5 = (size_t *) 0x7f5f43e4 (gdb) display/x *(int*)(0x7f5f43e8-4) 2: /x *(int*)(0x7f5f43e8-4) = 0x17a9 (gdb) b free if $r0==0x7f5f43e8 Breakpoint 3 at 0xb6c1a47c: free. (2 locations) (gdb) b Mode9.cpp:405 Breakpoint 4 at 0x7f55b8b4: file prnt/hpcups/Mode9.cpp, line 405. (gdb) ignore 4 7 Will ignore next 7 crossings of breakpoint 4. (gdb) cont Continuing. Breakpoint 4, Mode9::Process (this=0x7f5e0e70, input=0x7f5e0e84) at prnt/hpcups/Mode9.cpp:405 405 in prnt/hpcups/Mode9.cpp 1: compressBuf = (BYTE *) 0x7f5f43e8 "y\323.\200", <incomplete sequence \342\220> 2: /x *(int*)(0x7f5f43e8-4) = 0x17a9 (gdb) watch *(0x7f5f43e8-4) Watchpoint 5: *(0x7f5f43e8-4) (gdb) cont Continuing. Watchpoint 5: *(0x7f5f43e8-4) Old value = 6057 New value = 0 __memcpy_neon () at ../sysdeps/arm/armv7/multiarch/memcpy_impl.S:295 warning: Source file is more recent than executable. 295 tst count, #4 1: compressBuf = <error: current stack frame does not contain a variable named `this'> 2: /x *(int*)(0x7f5f43e8-4) = 0x0 (gdb) bt #0 __memcpy_neon () at ../sysdeps/arm/armv7/multiarch/memcpy_impl.S:295 #1 0x7f55b8d2 in memcpy (__len=379, __src=<optimized out>, __dest=<optimized out>) at /usr/include/arm-linux-gnueabihf/bits/string_fortified.h:34 #2 Mode9::Process (this=0x7f5e0e70, input=0x7f5e0e84) at prnt/hpcups/Mode9.cpp:405 #3 0x7f562de0 in Pipeline::Process (raster=<optimized out>, this=0x7f5d7340) at prnt/hpcups/Pipeline.cpp:79 #4 Pipeline::Execute (this=0x7f5d7340, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:79 #5 0x7f562e02 in Pipeline::Execute (this=0x7f5e6b88, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:83 #6 0x7f562e02 in Pipeline::Execute (this=0x7f5e6b70, InputRaster=<optimized out>) at prnt/hpcups/Pipeline.cpp:83 #7 0x7f55a20a in HPCupsFilter::processRasterData (this=0x7f5b87c4 <filter>, cups_raster=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:766 #8 0x7f55a6ee in HPCupsFilter::StartPrintJob (this=0x7f5b87c4 <filter>, argc=6, argv=0xbefff7b4) at prnt/hpcups/HPCupsFilter.cpp:584 #9 0xb6bd9a20 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:308 #10 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 Backtrace stopped: previous frame identical to this frame (corrupt stack?) --> Here the "mchunk_size" is overwritten. (gdb) disa 5 (gdb) disa 4 (gdb) cont Continuing. Breakpoint 3, __GI___libc_free (mem=0x7f5f43e8) at malloc.c:3092 3092 = atomic_forced_read (__free_hook); 1: compressBuf = <error: current stack frame does not contain a variable named `this'> 2: /x *(int*)(0x7f5f43e8-4) = 0x0 (gdb) bt #0 __GI___libc_free (mem=0x7f5f43e8) at malloc.c:3092 #1 0x7f55b12c in Compressor::~Compressor (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Compressor.cpp:52 #2 0x7f55b6a8 in Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:51 #3 Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:52 #4 0x7f56289e in Job::~Job (this=0x7f5b87c8 <filter+4>, __in_chrg=<optimized out>) at prnt/hpcups/Job.cpp:137 #5 0x7f55a946 in HPCupsFilter::~HPCupsFilter (this=0x7f5b87c4 <filter>, __in_chrg=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:213 #6 0xb6beaa70 in __run_exit_handlers (status=0, listp=0xb6cba4fc <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108 #7 0xb6beab32 in __GI_exit (status=<optimized out>) at exit.c:139 #8 0xb6bd9a24 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:342 #9 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 Backtrace stopped: previous frame identical to this frame (corrupt stack?) --> Here the memory 0x7f5f43e8 should be freed, but with a damaged "mchunk_size" ... (gdb) finish Run till exit from #0 __GI___libc_free (mem=0x7f5f43e8) at malloc.c:3092 Program received signal SIGABRT, Aborted. __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 47 pop {r7, pc} 1: compressBuf = <error: current stack frame does not contain a variable named `this'> 2: /x *(int*)(0x7f5f43e8-4) = 0x0 (gdb) bt #0 __libc_do_syscall () at ../sysdeps/unix/sysv/linux/arm/libc-do-syscall.S:47 #1 0xb6be8dd0 in __libc_signal_restore_set (set=0xbefff314) at ../sysdeps/unix/sysv/linux/internal-signals.h:86 #2 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:48 #3 0xb6bd97a2 in __GI_abort () at abort.c:79 #4 0xb6c11c56 in __libc_message (action=action@entry=do_abort, fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:155 #5 0xb6c16c32 in malloc_printerr (str=<optimized out>) at malloc.c:5347 #6 0xb6c17b14 in _int_free (av=<optimized out>, p=0x7f5f43e0, have_lock=0) at malloc.c:4173 #7 0x7f55b12c in Compressor::~Compressor (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Compressor.cpp:52 #8 0x7f55b6a8 in Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:51 #9 Mode9::~Mode9 (this=0x7f5e0e70, __in_chrg=<optimized out>) at prnt/hpcups/Mode9.cpp:52 #10 0x7f56289e in Job::~Job (this=0x7f5b87c8 <filter+4>, __in_chrg=<optimized out>) at prnt/hpcups/Job.cpp:137 #11 0x7f55a946 in HPCupsFilter::~HPCupsFilter (this=0x7f5b87c4 <filter>, __in_chrg=<optimized out>) at prnt/hpcups/HPCupsFilter.cpp:213 #12 0xb6beaa70 in __run_exit_handlers (status=0, listp=0xb6cba4fc <__exit_funcs>, run_list_atexit=run_list_atexit@entry=true, run_dtors=run_dtors@entry=true) at exit.c:108 #13 0xb6beab32 in __GI_exit (status=<optimized out>) at exit.c:139 #14 0xb6bd9a24 in __libc_start_main (main=0x7f5587d1 <main(int, char**)>, argc=6, argv=0xbefff7b4, init=<optimized out>, fini=0x7f56ed5d <__libc_csu_fini>, rtld_fini=0xb6fe1075 <_dl_fini>, stack_end=0xbefff7b4) at libc-start.c:342 #15 0x7f55889c in _start () at prnt/hpcups/HPCupsFilter.cpp:919 Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) https://sources.debian.org/src/hplip/3.20.5+dfsg0-3/prnt/hpcups/Mode9.cpp/#L405 https://sources.debian.org/src/hplip/3.20.5+dfsg0-3/prnt/hpcups/Compressor.cpp/#L52