Bug#1117980: gimp: Run gimp and immediately get... "free(): invalid pointer"
Bernhard Übelacker
bernhardu at mailbox.org
Mon Oct 27 15:26:14 GMT 2025
On Sun, 12 Oct 2025 23:30:01 -0700 "Kingsley G. Morse Jr." <kingsley at loaner.com> wrote:> Package: gimp
> Version: 3.0.4-6.1
> Severity: important
>
> Here's a back trace from running gimp in gdb:
>
> (gdb) bt
> #4 0xb60232a2 in __GI_abort () at ./stdlib/abort.c:73
> #5 0xb60242ac in __libc_message_impl (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:134
> #6 0xb609dd0b in malloc_printerr (str=str at entry=0xb61c808a "free(): invalid pointer")
> at ./malloc/malloc.c:5829
> #7 0xb60a2b53 in _int_free_check (av=0xb6233760 <main_arena>, p=0xdd3830, size=<optimized out>)
> at ./malloc/malloc.c:4560
> #8 _int_free (av=0xb6233760 <main_arena>, p=0xdd3830, have_lock=0) at ./malloc/malloc.c:4692
> #9 __GI___libc_free (mem=0xdd3838) at ./malloc/malloc.c:3476
> #10 0xb79001c8 in g_free () from /lib/i386-linux-gnu/libglib-2.0.so.0
> #11 0x00544d6c in gimp_extension_load (extension=0xdd3970, error=0xbffff298)
> at ../app/core/gimpextension.c:415
> #12 0x004bc894 in gimp_extension_manager_search_directory (manager=manager at entry=0xdbd8f8,
> directory=<optimized out>, system_dir=system_dir at entry=1) at ../app/core/gimpextensionmanager.c:1039
Hello,
I could reproduce this with a Forky/testing i386 VM
(updated from last Trixie/testing for i386).
As far as I can see the issue is below `g_object_new`
some memory gets allocated by `calloc` (below 0x1888320).
But this pointer gets shifted by `private_size`,
by 8 bytes, so `g_object_new_internal` returns 0x1888328.
This shifted pointer is later given to free,
which can just handle the unshifted pointer.
Trying to follow where this `private_size` originates from
leads to earlier function call `gegl_config`.
This looks like it modified the `private_size` of type `GObject`?
At least I think it is related to flag HAVE_PRIVATE,
which seems active for i386, but not for amd64.
And by that causing this `private_size` getting set.
If this `private_size` is all intentional, the call
to `g_free` would need to take the shift by `private_size` into account.
Kind regards,
Bernhard
#### When the private_size gets set
Thread 1 hit Hardware watchpoint 7: *(unsigned short*)0x175baa6
Old value = 8
New value = 0
g_type_class_adjust_private_offset (g_class=0x1771440, private_size_or_offset=0xb7a0c17c <GObject_private_offset>) at ../../../gobject/gtype.c:4649
4649 node->data->instance.private_size = private_size;
(rr) bt
#0 g_type_class_adjust_private_offset (g_class=0x1771440, private_size_or_offset=0xb7a0c17c <GObject_private_offset>) at ../../../gobject/gtype.c:4649
#1 0xb79bb65c in g_object_do_class_init (class=<optimized out>) at ../../../gobject/gobject.c:1096
#2 0xb79d801a in type_class_init_Wm (node=0x175ba44, pclass=<optimized out>) at ../../../gobject/gtype.c:2231
#3 g_type_class_get (type=<optimized out>) at ../../../gobject/gtype.c:2760
#4 0xb79d7d29 in g_type_class_get (type=0x1771400 [GeglConfig]) at ../../../gobject/gtype.c:2753
#5 0xb79d8218 in g_type_class_ref (type=0x1771400 [GeglConfig]) at ../../../gobject/gtype.c:2786
#6 0xb79be918 in g_object_new_with_properties (object_type=0x1771400 [GeglConfig], n_properties=0, names=0x0, values=0x0) at ../../../gobject/gobject.c:2806
#7 0xb79bf4e7 in g_object_new (object_type=0x1771400 [GeglConfig], first_property_name=0x0) at ../../../gobject/gobject.c:2476
#8 0xb77728b0 in gegl_config () at /lib/i386-linux-gnu/libgegl-0.4.so.0
#9 0x006ce0b4 in app_libs_init (context=0x1769af0, no_interface=0) at ../app/app.c:121
#10 0x004fbeb1 in main (argc=1, argv=<optimized out>) at ../app/main.c:737
(rr)
(rr) print (GTypeClass *)g_class
$15 = 0x50 [g_type: GObject]
0xb79dc9c5 4647 private_size = ALIGN_STRUCT (node->data->instance.private_size + *private_size_or_offset);
(rr) print *private_size_or_offset
$18 = 4
(rr) print node->data->instance.private_size
$20 = 0
(rr) print *node
$22 = {plugin = 0x0, n_children = 1, n_supers = 0, n_prerequisites = 0, is_abstract = 0, is_classed = 1, is_deprecated = 0, is_instantiatable = 1, is_final = 0, mutatable_check_cache = 1, children = 0x1744b90, data = 0x175ba80,
qname = 25, global_gdata = 0x1741650, _prot = {iface_entries = {data = 0x0}, offsets = {data = 0x0}}, prerequisites = 0x0, supers = {0x50 [GObject]}}
(rr) display GObject_private_offset
2: GObject_private_offset = 4
(rr) print *class
$26 = {g_type_class = {g_type = 0x50 [GObject]}, construct_properties = 0x0, constructor = 0x0, set_property = 0x0, get_property = 0x0, dispose = 0x0, finalize = 0x0, dispatch_properties_changed = 0x0, notify = 0x0, constructed = 0x0,
flags = 0, n_construct_properties = 0, pspecs = 0x0, n_pspecs = 0, pdummy = {0x0, 0x0, 0x0}}
benutzer at debian:~/source/libglib2.0/orig/glib2.0-2.86.1$ cat -n gobject/gobject.c | grep 1096 -C2
1094
1095 #if HAVE_PRIVATE
1096 g_type_class_adjust_private_offset (class, &GObject_private_offset);
1097 #endif
1098 }
benutzer at debian:~/source/libglib2.0/orig/glib2.0-2.86.1$
./gobject/gobject.c:120:#define HAVE_PRIVATE (!HAVE_OPTIONAL_FLAGS_IN_GOBJECT)
benutzer at debian:~/source/libglib2.0/orig/glib2.0-2.86.1$ cat -n gobject/gobject.c | grep -E " 112[^0-9]" -B1 -A3
111 #if SIZEOF_INT == 4 && GLIB_SIZEOF_VOID_P >= 8
112 #define HAVE_OPTIONAL_FLAGS_IN_GOBJECT 1
113 #else
114 #define HAVE_OPTIONAL_FLAGS_IN_GOBJECT 0
115 #endif
benutzer at debian:~/source/libglib2.0/orig/glib2.0-2.86.1$
(rr) reverse-cont
Continuing.
Thread 1 hit Hardware watchpoint 6: *(unsigned short*)0x177cbb6
Old value = 8
New value = 0
0xb79d7e62 in type_class_init_Wm (node=0x177cb50, pclass=<optimized out>) at ../../../gobject/gtype.c:2147
2147 node->data->instance.private_size = pnode->data->instance.private_size;
(rr) bt
#0 0xb79d7e62 in type_class_init_Wm (node=0x177cb50, pclass=<optimized out>) at ../../../gobject/gtype.c:2147
#1 g_type_class_get (type=<optimized out>) at ../../../gobject/gtype.c:2760
#2 0xb79d8218 in g_type_class_ref (type=0x177cb50 [GLocalFile]) at ../../../gobject/gtype.c:2786
#3 0xb79be918 in g_object_new_with_properties (object_type=0x177cb50 [GLocalFile], n_properties=0, names=0x0, values=0x0) at ../../../gobject/gobject.c:2806
#4 0xb79bf4e7 in g_object_new (object_type=0x177cb50 [GLocalFile], first_property_name=0x0) at ../../../gobject/gobject.c:2476
#5 0xb7619a50 in _g_local_file_new (filename=0x1779de0 "/etc/gimp/3.0") at ../../../gio/glocalfile.c:233
#6 0xb76233a9 in g_local_vfs_get_file_for_path (vfs=0x177c990 [GLocalVfs], path=0x1779de0 "/etc/gimp/3.0") at ../../../gio/glocalvfs.c:88
#7 0xb753a119 in g_file_new_for_path (path=0x1779de0 "/etc/gimp/3.0") at ../../../gio/gfile.c:7222
#8 0xb7ec09d4 in gimp_child_file (parent=<optimized out>, element=0x97681c "gimprc", args=0xbff8c704 "") at ../libgimpbase/gimpenv.c:715
#9 gimp_sysconf_directory_file (first_element=0x97681c "gimprc") at ../libgimpbase/gimpenv.c:879
#10 0x006c35b9 in gimp_early_rc_set_property (object=0x1779db8 [GimpEarlyRc], property_id=2, value=0xbff8c758, pspec=0x1779aa8 [GParamObject]) at ../app/config/gimpearlyrc.c:195
#11 0xb79baac1 in object_set_property (object=object at entry=0x1779db8 [GimpEarlyRc], pspec=0x1779aa8 [GParamObject], value=0xbff8c950, nqueue_is_frozen=0, user_specified=1) at ../../../gobject/gobject.c:2258
#12 0xb79bd34d in g_object_new_internal (class=class at entry=0x1779920, params=0xbff8c8bc, n_params=3) at ../../../gobject/gobject.c:2709
#13 0xb79bf23c in g_object_new_internal (class=<optimized out>, params=0xbff8c8bc, n_params=3) at ../../../gobject/gobject.c:2965
#14 g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=<optimized out>) at ../../../gobject/gobject.c:3003
#15 0xb79bf4c9 in g_object_new (object_type=0x17791b0 [GimpEarlyRc], first_property_name=0x95f2d6 "verbose") at ../../../gobject/gobject.c:2479
#16 0x006c3876 in gimp_early_rc_new (system_gimprc=0x0, user_gimprc=0x0, verbose=0) at ../app/config/gimpearlyrc.c:305
#17 0x004fc3e2 in gimp_early_configuration () at ../app/main.c:475
#18 gimp_options_group_parse_hook (context=0x1769af0, group=0x17713c0, data=0x0, error=0xbff8cc44) at ../app/main.c:535
#19 0xb7893951 in g_option_context_parse (context=<optimized out>, argc=<optimized out>, argv=<optimized out>, error=<optimized out>) at ../../../glib/goption.c:2077
#20 0xb7894989 in g_option_context_parse_strv (context=0x1769af0, arguments=0xbff8cc3c, error=0xbff8cc44) at ../../../glib/goption.c:2622
#21 0x004fbec2 in main (argc=1, argv=<optimized out>) at ../app/main.c:739
(rr)
#### When the memory gets allocated
Thread 1 hit Breakpoint 3.1, __libc_calloc (n=1, elem_size=24) at ./malloc/malloc.c:3783
warning: 3783 ./malloc/malloc.c: Datei oder Verzeichnis nicht gefunden
(rr) finish
Run till exit from #0 __libc_calloc (n=1, elem_size=24) at ./malloc/malloc.c:3783
g_malloc0 (n_bytes=24) at ../../../glib/gmem.c:135
135 if (mem)
Value returned is $1 = (void *) 0x1888320
(rr) finish
Run till exit from #0 g_malloc0 (n_bytes=24) at ../../../glib/gmem.c:135
0xb79d8bf4 in g_type_create_instance (type=0x177cb50 [GLocalFile]) at ../../../gobject/gtype.c:1884
1884 instance = (GTypeInstance *) (allocated + private_size);
Value returned is $2 = (void *) 0x1888320
(rr) print allocated
$3 = (gchar *) 0x1888320 ""
(rr) print private_size
$4 = 8
(rr) bt
#0 0xb79d8bf4 in g_type_create_instance (type=0x177cb50 [GLocalFile]) at ../../../gobject/gtype.c:1884
#1 0xb79bd1e2 in g_object_new_internal (class=0x177baf0, params=0x0, n_params=0) at ../../../gobject/gobject.c:2665
#2 0xb79be7d7 in g_object_new_internal (class=<optimized out>, params=<optimized out>, n_params=<optimized out>) at ../../../gobject/gobject.c:2662
#3 g_object_new_with_properties (object_type=<optimized out>, n_properties=<optimized out>, names=<optimized out>, values=<optimized out>) at ../../../gobject/gobject.c:2827
#4 0xb79bf4e7 in g_object_new (object_type=0x177cb50 [GLocalFile], first_property_name=0x0) at ../../../gobject/gobject.c:2476
#5 0xb7619a50 in _g_local_file_new (filename=0x187b670 "/usr/lib/i386-linux-gnu/gimp/3.0/extensions/org.gimp.extension.goat-exercises/org.gimp.extension.goat-exercises.metainfo.xml") at ../../../gio/glocalfile.c:233
#6 0xb76233a9 in g_local_vfs_get_file_for_path (vfs=0x177c990 [GLocalVfs], path=0x187b670 "/usr/lib/i386-linux-gnu/gimp/3.0/extensions/org.gimp.extension.goat-exercises/org.gimp.extension.goat-exercises.metainfo.xml") at ../../../gio/glocalvfs.c:88
#7 0xb753a119 in g_file_new_for_path (path=0x187b670 "/usr/lib/i386-linux-gnu/gimp/3.0/extensions/org.gimp.extension.goat-exercises/org.gimp.extension.goat-exercises.metainfo.xml") at ../../../gio/gfile.c:7222
#8 0x005a1d36 in gimp_extension_load (extension=0x1888460 [GimpExtension], error=0xbff8c758) at ../app/core/gimpextension.c:402
#9 0x00519894 in gimp_extension_manager_search_directory (manager=manager at entry=0x1871c08 [GimpExtensionManager], directory=<optimized out>, system_dir=system_dir at entry=1) at ../app/core/gimpextensionmanager.c:1039
#10 0x00519e9f in gimp_extension_manager_initialize (manager=0x1871c08 [GimpExtensionManager]) at ../app/core/gimpextensionmanager.c:596
#11 0x004fd2dc in gimp_constructed (object=0x1816cb8 [Gimp]) at ../app/core/gimp.c:319
#12 0xb79bd379 in g_object_new_internal (class=class at entry=0x182f970, params=0xbff8c90c, n_params=2) at ../../../gobject/gobject.c:2715
#13 0xb79bf23c in g_object_new_internal (class=<optimized out>, params=0xbff8c90c, n_params=2) at ../../../gobject/gobject.c:2965
#14 g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=<optimized out>) at ../../../gobject/gobject.c:3003
#15 0xb79bf4c9 in g_object_new (object_type=0x1775b40 [Gimp/GimpObject], first_property_name=0x96bf38 "name") at ../../../gobject/gobject.c:2479
#16 0x004fda77 in gimp_new (name=0x1744650 "gimp", session_name=0x0, default_folder=0x0, be_verbose=0, no_data=0, no_fonts=0, no_interface=0, use_shm=1, use_cpu_accel=1, console_messages=0, show_playground=0, show_debug_menu=0, stack_trace_mode=GIMP_STACK_TRACE_NEVER, pdb_compat_mode=GIMP_PDB_COMPAT_ON) at ../app/core/gimp.c:617
#17 0x006ce214 in app_run (full_prog_name=0x1744650 "gimp", filenames=0x0, alternate_system_gimprc=0x0, alternate_gimprc=0x0, session_name=0x0, batch_interpreter=0x0, batch_commands=0x0, quit=0, as_new=0, no_interface=0, no_data=0, no_fonts=0, no_splash=0, be_verbose=0, use_shm=1, use_cpu_accel=1, console_messages=0, use_debug_handler=0, show_playground=0, show_debug_menu=0, stack_trace_mode=GIMP_STACK_TRACE_NEVER, pdb_compat_mode=GIMP_PDB_COMPAT_ON, backtrace_file=0x175b430 "/home/benutzer/.config/GIMP/3.0/CrashLog/gimp-crash-1761572830.txt") at ../app/app.c:227
#18 0x004fbfd0 in main (argc=1, argv=<optimized out>) at ../app/main.c:793
(rr) finish
Run till exit from #0 0xb79d8bf4 in g_type_create_instance (type=0x177cb50 [GLocalFile]) at ../../../gobject/gtype.c:1884
0xb79bd1e2 in g_object_new_internal (class=0x177baf0, params=0x0, n_params=0) at ../../../gobject/gobject.c:2665
2665 object = (GObject *) g_type_create_instance (class->g_type_class.g_type);
Value returned is $31 = 0x1888328 [GLocalFile]
(rr)
-- At amd64 private_size is zero --> therefore later free receives the pointer in allocated
-- At i386 private_size is 8 --> therefore later free receives the pointer in allocated + 8
#### When the memory gets freed
Thread 1 hit Breakpoint 11, __GI_abort () at ./stdlib/abort.c:72
warning: 72 ./stdlib/abort.c: Datei oder Verzeichnis nicht gefunden
(rr) bt
#0 __GI_abort () at ./stdlib/abort.c:72
#1 0xb61242ac in __libc_message_impl (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:134
#2 0xb619dd0b in malloc_printerr (str=str at entry=0xb62c808a "free(): invalid pointer") at ./malloc/malloc.c:5829
#3 0xb61a2b53 in _int_free_check (av=0xb6333760 <main_arena>, p=0x1888320, size=<optimized out>) at ./malloc/malloc.c:4560
#4 _int_free (av=0xb6333760 <main_arena>, p=0x1888320, have_lock=0) at ./malloc/malloc.c:4692
#5 __GI___libc_free (mem=0x1888328) at ./malloc/malloc.c:3476
#6 0xb788a2a8 in g_free (mem=0x1888328) at ../../../glib/gmem.c:208
#7 0x005a1d6c in gimp_extension_load (extension=0x1888460 [GimpExtension], error=0xbff8c758) at ../app/core/gimpextension.c:415
#8 0x00519894 in gimp_extension_manager_search_directory (manager=manager at entry=0x1871c08 [GimpExtensionManager], directory=<optimized out>, system_dir=system_dir at entry=1) at ../app/core/gimpextensionmanager.c:1039
#9 0x00519e9f in gimp_extension_manager_initialize (manager=0x1871c08 [GimpExtensionManager]) at ../app/core/gimpextensionmanager.c:596
#10 0x004fd2dc in gimp_constructed (object=0x1816cb8 [Gimp]) at ../app/core/gimp.c:319
#11 0xb79bd379 in g_object_new_internal (class=class at entry=0x182f970, params=0xbff8c90c, n_params=2) at ../../../gobject/gobject.c:2715
#12 0xb79bf23c in g_object_new_internal (class=<optimized out>, params=0xbff8c90c, n_params=2) at ../../../gobject/gobject.c:2965
#13 g_object_new_valist (object_type=<optimized out>, first_property_name=<optimized out>, var_args=<optimized out>) at ../../../gobject/gobject.c:3003
#14 0xb79bf4c9 in g_object_new (object_type=0x1775b40 [Gimp/GimpObject], first_property_name=0x96bf38 "name") at ../../../gobject/gobject.c:2479
#15 0x004fda77 in gimp_new (name=0x1744650 "gimp", session_name=0x0, default_folder=0x0, be_verbose=0, no_data=0, no_fonts=0, no_interface=0, use_shm=1, use_cpu_accel=1, console_messages=0, show_playground=0, show_debug_menu=0, stack_trace_mode=GIMP_STACK_TRACE_NEVER, pdb_compat_mode=GIMP_PDB_COMPAT_ON) at ../app/core/gimp.c:617
#16 0x006ce214 in app_run (full_prog_name=0x1744650 "gimp", filenames=0x0, alternate_system_gimprc=0x0, alternate_gimprc=0x0, session_name=0x0, batch_interpreter=0x0, batch_commands=0x0, quit=0, as_new=0, no_interface=0, no_data=0, no_fonts=0, no_splash=0, be_verbose=0, use_shm=1, use_cpu_accel=1, console_messages=0, use_debug_handler=0, show_playground=0, show_debug_menu=0, stack_trace_mode=GIMP_STACK_TRACE_NEVER, pdb_compat_mode=GIMP_PDB_COMPAT_ON, backtrace_file=0x175b430 "/home/benutzer/.config/GIMP/3.0/CrashLog/gimp-crash-1761572830.txt") at ../app/app.c:227
#17 0x004fbfd0 in main (argc=1, argv=<optimized out>) at ../app/main.c:793
More information about the pkg-gnome-maintainers
mailing list