I'm actually seeing the same thing, also on x86_64.  selinux is disabled.  Core
dump shows

Core was generated by `cupsd -f'.
Program terminated with signal 11, Segmentation fault.
#0  0x00002aaaac73f610 in context_range_get () from /lib64/libselinux.so.1
(gdb) bt
#0  0x00002aaaac73f610 in context_range_get () from /lib64/libselinux.so.1
#1  0x000055555558e815 in main () from /usr/sbin/cupsd

Same here on i386 SMP

Could you please install the corresponding cups-debuginfo package and try gdb
again?  Thanks.

# gdb --args cupsd -f
...
(gdb) run
Starting program: /usr/sbin/cupsd -f
[Thread debugging using libthread_db enabled]
[New Thread -1208838448 (LWP 15711)]
(tried to print page from Acrobat)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1208838448 (LWP 15711)]
0x00599f8a in strcmp () from /lib/libc.so.6
(gdb) bt
#0  0x00599f8a in strcmp () from /lib/libc.so.6
#1  0x00d2ba01 in add_job (con=0x8dee098, uri=0x8debd90, dprinter=0xbfc4b180,
filetype=0x8db9358) at ipp.c:1658
#2  0x00d2d368 in print_job (con=0x8dee098, uri=0x8debd90) at ipp.c:7127
#3  0x00d2fbe6 in cupsdProcessIPPRequest (con=0x8dee098) at ipp.c:470
#4  0x00d0e12b in cupsdReadClient (con=0x8dee098) at client.c:1917
#5  0x00d1d1de in main (argc=2, argv=0xbfc5a6e4) at main.c:938
(gdb)

Thanks.  Now what does it say if, at that last (gdb) prompt, you enter 'up' and
then 'info locals'?

Actually, never mind, I think I know what this is.

I'm just about to upload 1.2.2-17 to
http://people.redhat.com/twaugh/tmp/cups-devel -- could you please try that? 
Thanks.

Yes that fixes it, thanks a lot :-D

FWIW here are the locals anyway

(gdb) up
#1  0x00d2ba01 in add_job (con=0x8dee098, uri=0x8debd90, dprinter=0xbfc4b180,
filetype=0x8db9358) at ipp.c:1658
1658          if ((strcmp(userheader, Classification) == 0)
(gdb) info locals
uuid = "urn:uuid:2d9196ef-e1e2-3c08-4c61-c04f8991a7d6\000com:631:54", '\0'
<repeats 883 times>,
"\005Y\000\000\000\000\000\000\000\000\000�f\000\000\000\000\000\000\000\000\000\035\030Y\000<\227ĿX\230ĿWĿxĿ�f\000<\227ĿX\230Ŀ(\230Ŀ�`\000<\227Ŀ\225\031�000|ĿX\230Ŀ\000\000\000\000�
attr = <value optimized out>
md5state = {count = {1024, 0}, abcd = {4019622189, 144499425, 1338007820,
3601305993},
  buf = '\0' <repeats 56 times>, "�001\000\000\000\000\000"}
md5sum = "-\221\226��234\b\fa�\211\221�
status = <value optimized out>
attr = (ipp_attribute_t *) 0x8debe88
dest = 0x8dbef10 "printer2"
dtype = 0
val = <value optimized out>
priority = <value optimized out>
title = 0x8debe30 "Acro000r6pOYn"
job = (cupsd_job_t *) 0x8df17e8
job_uri = "exec \n          dup /$F`Uf\000Ç«Ä¿XUf\000 notXQf\000    h \000\000X
\000\000p du\000\000\000\000ngth exch maxlength eq \n          { pop userdict
dup /$FXQf\000ct kk\000\000\000 not\n   \004\000\000\000   { 100 dic�f\000
Qf\000T \000\000�027�b\a`Y\000�027�b\000\000\000\000T
\000\000�213\000\027�b\034Ŀ"...
method = "ipp\000mdict /internaldict get exec \n       /FlxProc known {save
true} {false} ifelse\n    } \n   {\n      userdict /internaldict known not \n  
     \000\003u8ĿI{�000آ�brdict /internaldict HV�b       {�001�000     "...
username = "\0001.2
0\n%%EndComments\n%%BeginDefaults\n%%EndDefaults\n%%BeginProlog\n%%EndProlog\n%%BeginSetup\n%ADOPrintSettings:
L2 W2 vm op crd os scsa T h ef bg ucr SF EF r b fa pr seps ttf hb EF t2 irt
Printer/PostScr"...
host =
"localhost\000uX\223�b\000\000\000\000�237Ŀ)Q�000�027�bxĿ�Y\000�&\000�001�0008Ŀ\001\000\000\000HĿ�\000\000\000\000`�bHH\000\000�\000\000�d\000\000\003u\002",
'\0' <repeats 11 times>, "H
ſ`C\000\230�\b\002\000\000\000\001\000\000\000\177\000\000HĿ\001\000\000\000\000\003u��000X\223�b�f\000
Qf\000�027�b\bĿ`CY\000 Qf\000�027�b�a�000\000\000\000\027�b�&\000\f�\0000Ŀ�...
resource = "/printers/printer2", '\0' <repeats 37 times>,
"XQf\000\000\000\000\000k\000\000\000\205�\000:\003\000\004\000\000\000@�002\000\000\000\000\000\000\000�f\000
Qf\000T \000\000�027�b\a`Y\000�027�b\000\000\000\000T
\000\000�213\000\027�b�233Ŀ�\000�027�b\020\000\000\000\030\234Ŀ�\000\020\000\000\000\002\000\000\000\001\000\000\000�\000lؤ\000h��&\000\000\000\000\000\000\000\000\000\031�000�027�b\000\000\000\000X\n�020\000\000\000\000\003u�\000(\027�b\031�000"...
port = 631
printer = (cupsd_printer_t *) 0x8dbea08
kbytes = <value optimized out>
i = <value optimized out>
argv = {0x0, 0x0, 0x0}
envp = {0x0, 0xbfc496f0 "", 0x0, 0x0, 0xbfc49684 "", 0x0, 0x0, 0x0, 0x0, 0x0,
0x0, 0x0, 0xbfc497d0 "", 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0xffffffff <Address 0xffffffff out of bounds>, 0x1f <Address 0x1f out of
bounds>, 0xd5199b "", 0xd51995 "%c %s ", 0xbfc49684 "",
  0x1 <Address 0x1 out of bounds>, 0x2 <Address 0x2 out of bounds>, 0x0 <repeats
15 times>, 0x20 <Address 0x20 out of bounds>, 0x0, 0x0, 0x0,
  0x73000000 <Address 0x73000000 out of bounds>, 0x1c <Address 0x1c out of
bounds>, 0x0 <repeats 32 times>,
  0xffffffff <Address 0xffffffff out of bounds>, 0x0, 0xbfc4b880 "y\031�,
0xd51999 "s ", 0x0 <repeats 16 times>}
audit_message = <value optimized out>
buffer = '\0' <repeats 1023 times>
acstatus = 0
acpid = 0
printerfile = <value optimized out>
---Type <return> to continue, or q <return> to quit---
userheader = 0x8dc6df8 "none"
userfooter = 0x8dc6e50 "none"
override = <value optimized out>

Great, thanks for testing.

Alan Shutko, your stack trace is entirely different:

#0  0x00002aaaac73f610 in context_range_get () from /lib64/libselinux.so.1
#1  0x000055555558e815 in main () from /usr/sbin/cupsd

Could you please do the same thing (see comment #3) to get a stack trace with
symbols?

In fact, Alan, can you confirm what 'rpm -q cups' says in the first instance? 
Are you running 1.2.2-16 or something earlier?

Hmmm... sorry, I upgraded and got 1.2.2-17 before checking this.  But you'll be
glad to know that -17 fixes my problem as well!