Description of problem: After opening the attached word document, quiting abiword causes glibc to detect an invalid pointer on free. Version-Release number of selected component (if applicable): abiword-2.4.4-2.fc5 fontconfig-2.3.94-1 libXft-2.1.8.2-3.2 How reproducible: always Steps to Reproduce: 1. open attached file in abiword 2. quit abiword Actual results: (AbiWord-2.4:27802): GModule-CRITICAL **: g_module_close: assertion `module != NULL' failed (AbiWord-2.4:27802): libgsf:msole-CRITICAL **: ole_get_block: assertion `block < ole->info->max_block' failed *** glibc detected *** abiword: munmap_chunk(): invalid pointer: 0x000000000102e800 *** ======= Backtrace: ========= /lib64/libc.so.6(__libc_free+0x17a)[0x3d2946da1a] /usr/lib64/libfontconfig.so.1(FcValueListDestroy+0x360)[0x3d2b323dc0] /usr/lib64/libfontconfig.so.1(FcPatternDestroy+0xff)[0x3d2b3240af] /usr/lib64/libXft.so.2[0x3d33f0b293] /usr/lib64/libXft.so.2(XftFontManageMemory+0x108)[0x3d33f0b448] abiword(_ZN12XAP_UnixFontD1Ev+0x97)[0x60bc77] abiword(_ZN19XAP_UnixFontManagerD1Ev+0x49)[0x5fe5b9] abiword(_ZN11XAP_UnixAppD2Ev+0x46)[0x5fa446] abiword(_ZN10AP_UnixAppD0Ev+0x63)[0x518423] abiword(_ZN10AP_UnixApp4mainEPKciPS1_+0x354)[0x519ce4] /lib64/libc.so.6(__libc_start_main+0xf4)[0x3d2941d084] abiword(__gxx_personality_v0+0x319)[0x515e59] ======= Memory map: ======== 00400000-008cb000 r-xp 00000000 fd:00 20110315 /usr/bin/AbiWord-2.4 009ca000-00a93000 rw-p 004ca000 fd:00 20110315 /usr/bin/AbiWord-2.4 00a93000-00b72000 rw-p 00a93000 00:00 0 00c92000-00d26000 rw-p 00592000 fd:00 20110315 /usr/bin/AbiWord-2.4 00d26000-01bce000 rw-p 00d26000 00:00 0 [heap] 3264000000-3264013000 r-xp 00000000 fd:00 29655065 /lib64/libnsl-2.4.so 3264013000-3264113000 ---p 00013000 fd:00 29655065 /lib64/libnsl-2.4.so 3264113000-3264114000 r--p 00013000 fd:00 29655065 /lib64/libnsl-2.4.so 3264114000-3264115000 rw-p 00014000 fd:00 29655065 /lib64/libnsl-2.4.so 3264115000-3264117000 rw-p 3264115000 00:00 0 3264200000-3264269000 r-xp 00000000 fd:00 29655072 /lib64/libdbus-1.so.2.0.0 3264269000-3264368000 ---p 00069000 fd:00 29655072 /lib64/libdbus-1.so.2.0.0 3264368000-326436a000 rw-p 00068000 fd:00 29655072 /lib64/libdbus-1.so.2.0.0 3265400000-3265407000 r-xp 00000000 fd:00 20093702 /usr/lib64/libpopt.so.0.0.0 3265407000-3265507000 ---p 00007000 fd:00 20093702 /usr/lib64/libpopt.so.0.0.0 3265507000-3265508000 rw-p 00007000 fd:00 20093702 /usr/lib64/libpopt.so.0.0.0 3491a00000-3491a5a000 r-xp 00000000 fd:00 20094332 /usr/lib64/libORBit-2.so.0.1.0 3491a5a000-3491b5a000 ---p 0005a000 fd:00 20094332 /usr/lib64/libORBit-2.so.0.1.0 3491b5a000-3491b6c000 rw-p 0005a000 fd:00 20094332 /usr/lib64/libORBit-2.so.0.1.0 3491b6c000-3491b6d000 rw-p 3491b6c000 00:00 0 3491c00000-3491c05000 r-xp 00000000 fd:00 20097982 /usr/lib64/libORBitCosNaming-2.so.0.1.0 3491c05000-3491d04000 ---p 00005000 fd:00 20097982 /usr/lib64/libORBitCosNaming-2.so.0.1.0 3491d04000-3491d06000 rw-p 00004000 fd:00 20097982 /usr/lib64/libORBitCosNaming-2.so.0.1.0 3492000000-3492016000 r-xp 00000000 fd:00 20098000 /usr/lib64/libbonobo-activation.so.4.0.0 3492016000-3492115000 ---p 00016000 fd:00 20098000 /usr/lib64/libbonobo-activation.so.4.0.0 3492115000-3492119000 rw-p 00015000 fd:00 20098000 /usr/lib64/libbonobo-activation.so.4.0.0 3492200000-3492263000 r-xp 00000000 fd:00 20098596 /usr/lib64/libbonobo-2.so.0.0.0 3492263000-3492362000 ---p 00063000 fd:00 20098596 /usr/lib64/libbonobo-2.so.0.0.0 3492362000-3492373000 rw-p 00062000 fd:00 20098596 /usr/lib64/libbonobo-2.so.0.0.0 3492a00000-3492a0c000 r-xp 00000000 fd:00 20100042 /usr/lib64/libgnome-keyring.so.0.0.1 3492a0c000-3492b0b000 ---p 0000c000 fd:00 20100042 /usr/lib64/libgnome-keyring.so.0.0.1 3492b0b000-3492b0c000 rw-p 0000b000 fd:00 20100042 /usr/lib64/libgnome-keyring.so.0.0.1 3493a00000-3493a6d000 r-xp 00000000 fd:00 20098611 /usr/lib64/libgnomeprint-2-2.so.0.1.0 3493a6d000-3493b6d000 ---p 0006d000 fd:00 20098611 Aborted (core dumped) Expected results: not crashing Additional info: The stack trace looks similar to the one in Bug 182399. gdb backtrace: #0 0x0000003d2942f765 in raise () from /lib64/libc.so.6 (gdb) bt #0 0x0000003d2942f765 in raise () from /lib64/libc.so.6 #1 0x0000003d29431050 in abort () from /lib64/libc.so.6 #2 0x0000003d294665eb in __libc_message () from /lib64/libc.so.6 #3 0x0000003d2946da1a in free () from /lib64/libc.so.6 #4 0x0000003d2b323dc0 in FcValueListDestroy () from /usr/lib64/libfontconfig.so.1 #5 0x0000003d2b3240af in FcPatternDestroy () from /usr/lib64/libfontconfig.so.1 #6 0x0000003d33f0b293 in XftInitFtLibrary () from /usr/lib64/libXft.so.2 #7 0x0000003d33f0b448 in XftFontManageMemory () from /usr/lib64/libXft.so.2 #8 0x000000000060bc77 in ~XAP_UnixFont (this=0xe0d1c0) at xap_UnixFont.cpp:272 #9 0x00000000005fe5b9 in ~XAP_UnixFontManager (this=Variable "this" is not available. ) at ../../../../src/af/util/xp/ut_hash.h:145 #10 0x00000000005fa446 in ~XAP_UnixApp (this=0xd26280) at xap_UnixApp.cpp:140 #11 0x0000000000518423 in ~AP_UnixApp (this=0xd26280) at ap_UnixApp.cpp:184 #12 0x0000000000519ce4 in AP_UnixApp::main (szAppName=Variable "szAppName" is not available. ) at ap_UnixApp.cpp:1546 #13 0x0000003d2941d084 in __libc_start_main () from /lib64/libc.so.6 #14 0x0000000000515e59 in _start () #15 0x00007fffff89a0b8 in ?? () #16 0x0000000000000000 in ?? ()
Created attachment 127967 [details] document to reproduce crash
I think that this is a duplicate of #182399. BTW - an update to abiword-2.4.4-3.fc5 does not help with this at all.
I can also confirm that this still happens with abiword-1:2.4.4-3.fc5.x86_64
*** This bug has been marked as a duplicate of 182399 ***