When opening a PDF file with internal links in xpdf, it crashes with a segmentation fault on changing the page after using a link.

Reproducible: Always

Steps to Reproduce:
1. Open http://user.cs.tu-berlin.de/~estar/crsh.pdf (fairly minimal example).
2. Click on the first line (it’s a link).
3. Go to the next page.

Actual Results:  
Segmentation fault

Expected Results:  
Show page 2.

After setting MALLOC_CHECK_=2 (check malloc/free operations and abort ASAP), the backtrace looks like this (#17-#9 xpdf, #8-#6 libpoppler):
Program received signal SIGABRT, Aborted. […]
#3  0xb7c8c190 in malloc_printerr (action=2, str=0xb7d36492 "free(): invalid pointer", 
    ptr=0x74bf) at malloc.c:5896
#4  0xb7c8dcde in *__GI___libc_free (mem=0x810c690) at malloc.c:3590
#5  0x4bc9a263 in operator delete ()
   from /usr/lib/gcc/i686-pc-linux-gnu/4.2.2/libstdc++.so.6
#6  0xb7e4e9a2 in ~LinkGoTo (this=0x80b6ad8) at Link.cc:451
#7  0xb7e4da72 in ~Link (this=0x810e2a0) at Link.cc:772
#8  0xb7e4dbdb in ~Links (this=0x80fed90) at Link.cc:816
#9  0x08054554 in ~PDFCorePage (this=0x8102988) at PDFCore.cc:47
#10 0x08054983 in PDFCore::update (this=0x80d8e50, topPageA=2, scrollXA=0, scrollYA=0, 
    zoomA=125, rotateA=0, force=0, addToHist=1) at PDFCore.cc:404
#11 0x0805c875 in XPDFCore::update (this=0x80d8e50, topPageA=2, scrollXA=0, scrollYA=0, 
    zoomA=125, rotateA=0, force=0, addToHist=1) at XPDFCore.cc:293
#12 0x0804f543 in PDFCore::gotoNextPage (this=0x80d8e50, inc=1, top=1) at PDFCore.cc:824
#13 0x0805c779 in XPDFCore::gotoNextPage (this=0x80d8e50, inc=1, top=1) at XPDFCore.cc:320
#14 0x0804f85f in PDFCore::scrollPageDown (this=0x80d8e50) at PDFCore.cc:938
#15 0x080674af in XPDFViewer::keyPressCbk (data=0x80b6578, s=0xbfb62f58 " ", key=32, 
    modifiers=0) at XPDFViewer.cc:354
#16 0x08058122 in XPDFCore::keyPress (this=0x80d8e50, s=0xbfb62f58 " ", key=32, 
    modifiers=0) at XPDFCore.cc:1211
#17 0x0805c552 in XPDFCore::inputCbk (widget=0x80df238, ptr=0x80d8e50, callData=0xbfb63020)
    at XPDFCore.cc:1144
#18 0x4b9ef7c1 in XtCallCallbackList () from /usr/lib/libXt.so.6 […]

A workaround is to set MALLOC_CHECK_=1 so that the program isn’t aborted/killed when the above happens, but this isn’t an ideal solution. I haven’t figured out why the delete operator in Link.cc:451 fails, but the object at namedDest breaks at some point after the constructor:
Breakpoint 4, LinkGoTo (this=0x80fcf18, destObj=0xbfd0f344) at Link.cc:431
431	    namedDest = destObj->getString()->copy();
(gdb) next
(gdb) print *namedDest
$2 = {static STR_STATIC_SIZE = 24, static CALC_STRING_LEN = -1, 
  sStatic = "UNDEFINED\000[…]", length = 9, s = 0x80f9868 "UNDEFINED"}
(gdb) cont
Breakpoint 3, ~LinkGoTo (this=0x80fcf18) at Link.cc:451
451	    delete namedDest;
(gdb) print *namedDest
$3 = {static STR_STATIC_SIZE = 24, static CALC_STRING_LEN = -1, 
  sStatic = "0â\021\bFINED\000[…]", length = 9, s = 0x80f9868 "0â\021\bFINED"}
So then line 451 does the C++ equivalent of a double free(). (Sorry if I’ve been too verbose.)

$ emerge --info
Portage 2.1.3.19 (hardened/x86/2.6, gcc-4.2.2, glibc-2.7-r0, 2.6.23-hardened i686)
=================================================================
System uname: 2.6.23-hardened i686 Intel(R) Core(TM)2 CPU T5600 @ 1.83GHz
Timestamp of tree: Thu, 08 Nov 2007 10:46:01 +0000
app-shells/bash:     3.2_p17-r1
dev-java/java-config: 1.3.7, 2.1.2-r1
dev-lang/python:     2.4.4-r4, 2.5.1-r3
dev-python/pycrypto: 2.0.1-r6
sys-apps/baselayout: 1.12.10-r5
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.18-r1
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.24
virtual/os-headers:  2.6.23
ACCEPT_KEYWORDS="x86 ~x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-march=nocona -O0 -ggdb3 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-march=nocona -O0 -ggdb3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="candy collision-protect confcache distlocks installsources metadata-transfer nostrip parallel-fetch sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://213.186.33.37/gentoo-distfiles/"
LANG="en_GB.UTF-8"
LINGUAS="en_GB en en_US de fr es ru"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="3ds 7zip X X509 a52 aac aalib abook ace acl acpi additions aim alisp alsa amr ansi apache2 arj artworkextra asf async audiofile auth bash-completion bcmath berkdb bidi binfilter blender-game bluetooth bonusscripts boost bzip2 cairo cal3d calendar cardbus cddb cdparanoia chipcard chipcard2 chm cjk cli colordiff cpudetection cracklib crypt cscope css ctype cups curl curlwrappers cyrillic dbase dbm dbus dbx devhelp dga dhcp dia divx djvu doc doomsday dri dts dv dvd dvdnav dvdr dvdread eap-tls ecc effects emf enca encode erandom examples exif extensions extra extrafilters fame fbcon fbsplash ffmpeg fftw figlet filter finger firefox flac flash flatfile fltk fluidsynth foomaticdb fpx ftp fuse games gcc-libffi gcc64 gcj gconf gd gdbm geldkarte geoip ggi gif gimp gimpprint ginac glade glep glgd glib glibc-omitfp glitz glut gmedia gmp gnuplot gnutls gopher gpgme gphoto2 gpm graphics graphviz gs gsl gsm gtk gtk2 gtkhtml guile hal hardened hash hbci hddtemp hdri hfs html humanities i8x0 iconv icq icu id3 idea idn imagemagick imap imlib immqt inkjar insecure-savers ipod ipv6 ipw3945 irda iso14755 ithreads jabber java jce john jpeg jpeg2k json kerberos keyscrub kqemu ladspa lame lash lcms ldap ldap-sasl libcaca libdsk libnotify libsamplerate libsexy libwww lights linuxthreads-tls live lm_sensors logrotate lua lzo lzw m17n-lib math matroska mbox mcal mccp md5sum meanwhile mhash midi mime mimencode ming mjpeg mmap mmx mmxext mng mozbranding mozdevelop mozembed mozilla moznocompose moznoirc moznomail mozsvg mp2 mp3 mp3rtp mp4 mp4live mpeg mpeg2 mplayer mpm-worker msn musepack mysql ncurses net nethack network networking new-interface nfconntrack nfs nis nls nntp normalizemime nptl nptlonly nsplugin ntlm offensive ofx ogg on-the-fly-crypt openal openct openexr opengl openmp oscar overload pam pango passwordsave pch pcmcia pcntl pcre pda pdf perl php pic plotutils plugin png pnm posix print pstricks publishers python qt3support quicktime rar readline real realmedia reflection regex resolvconf rle rtc ruby scanner science sdl sensord session sharedext shorten sift silc simplexml slang smartcard smime smp smtp sndfile sockets sound sox speex spell spl sqlite sqlite3 sse sse2 ssl subtitles suhosin svg svgz syslog sysvipc t1lib tcpd tetex tga theora threads threadsafe tidy tiff tokenizer truetype type1 ucs2 ucs4 unicode urandom usb v4l v4l2 vcd vim vim-syntax vorbis vorbis-psy wavpack wifi win32codecs wma wmf wmp x264 x86 xanim xcb xchatdccserver xcomposite xetex xface xforms xim xinetd xml xmlreader xmlrpc xmlwriter xorg xosd xplanet xpm xprint xrandr xscreensaver xsl xslt xv xvid xvmc yahoo yv12 zip zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard synaptics mouse wacom" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_GB en en_US de fr es ru" USERLAND="GNU" VIDEO_CARDS="i810"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS