The crash seems to be caused by a nested (graphics-)text object used as document title with shadows.

Reproduced the crash with LO 7.5:

Version: 7.5.3.2 (X86_64) / LibreOffice Community
Build ID: 9f56dff12ba03b9acd7730a5a481eea045e468f3
CPU threads: 20; OS: Windows 10.0 Build 22621; UI render: Skia/Raster; VCL: win
Locale: en-US (en_DE); UI: en-GB
Calc: CL threaded

Created attachment 188771 [details]
Backtrace using Visual Studio 2022

Repro with

Version: 24.2.0.0.alpha0+ (X86_64) / LibreOffice Community
Build ID: 34387332173782498acd4998c7c665d04ebc3c7d
CPU threads: 15; OS: Windows 10.0 Build 19045; UI render: default; VCL: win
Locale: hu-HU (hu_HU); UI: en-US
Calc: threaded

Both files did open fine in 7.3, started to crash in 7.4.

Bibisected on windows-7.4 to:

https://git.libreoffice.org/core/+/44eef5f494825a26594ba3d50ef1f3211ae73b9b

author	Attila Bakos (NISZ) <bakos.attilakaroly@nisz.hu>	Mon Jun 20 17:27:53 2022 +0200
committer	László Németh <nemeth@numbertext.org>	Wed Jul 13 09:25:10 2022 +0200

tdf#148687 tdf#149173 tdf#149546 sw: fix crash with textboxes

Adding CC to: Attila Bakos

Created attachment 188786 [details]
Minimal version of the DOCX attachment that still reproduces the crash

The attached file is a minified version of the attachment 188762 [details] which still reproduces the crash.

It contains a box with an image and a text box inside it.

Created attachment 189319 [details]
bt with debug symbols

On pc Debian x86-64 with master sources updated today, I could reproduce this.

The pb is the object is destroyed:
#0  SwAnchoredObject::~SwAnchoredObject() (this=0x5600c10ec0a0) at sw/source/core/layout/anchoredobject.cxx:104
#1  0x00007f937aa05a10 in SwFlyFrame::~SwFlyFrame() (this=0x5600c10ebf40) at sw/source/core/layout/fly.cxx:372
#2  0x00007f937aa258ad in SwFlyFreeFrame::~SwFlyFreeFrame() (this=0x5600c10ebf40) at sw/source/core/layout/flylay.cxx:98
#3  0x00007f937aa2c2b5 in SwFlyLayFrame::~SwFlyLayFrame() (this=0x5600c10ebf40) at sw/source/core/inc/flyfrms.hxx:150
#4  0x00007f937aa2c2d9 in SwFlyLayFrame::~SwFlyLayFrame() (this=0x5600c10ebf40) at sw/source/core/inc/flyfrms.hxx:150
#5  0x00007f937ab2c8a5 in SwFrame::DestroyFrame(SwFrame*) (pFrame=0x5600c10ebf40) at sw/source/core/layout/ssfrm.cxx:397
#6  0x00007f937a9c0c92 in SwFrameFormat::DelFrames() (this=0x5600c11d25f0) at sw/source/core/layout/atrfrm.cxx:2764
#7  0x00007f937a3d1c9d in SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)
    (this=0x5600c1059040, rFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}, bNewFrames=false)
    at sw/source/core/doc/docfly.cxx:287
#8  0x00007f937a3d3600 in lcl_SetFlyFrameAttr(SwDoc&, signed char (SwDoc::*)(SwFrameFormat&, SfxItemSet&, bool), SwFrameFormat&, SfxItemSet&)
    (rDoc=..., pSetFlyFrameAnchor=(sal_Int8 (SwDoc::*)(SwDoc * const, SwFrameFormat &, SfxItemSet &, bool)) 0x7f937a3d1a70 <SwDoc::SetFlyFrameAnchor(SwFrameFormat&, SfxItemSet&, bool)>, rFlyFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}) at sw/source/core/doc/docfly.cxx:435
#9  0x00007f937a3d342e in SwDoc::SetFlyFrameAttr(SwFrameFormat&, SfxItemSet&)
    (this=0x5600c1059040, rFlyFormat=..., rSet=SfxItemSet of pool 0x5600c1056800 with parent 0x5600c11d26b8 and Which ranges: [(88, 140), (159, 159), (1014, 1034)] = {...}) at sw/source/core/doc/docfly.cxx:544
#10 0x00007f937b093a74 in SwXFrame::setPropertyValue(rtl::OUString const&, com::sun::star::uno::Any const&)
    (this=0x5600c16de740, rPropertyName="AnchorType", _rValue=uno::Any("com.sun.star.text.TextContentAnchorType": com::sun::star::text::TextContentAnchorType::TextContentAnchorType_AT_CHARACTER))
    at sw/source/core/unocore/unoframe.cxx:1933
#11 0x00007f937a6d7acd in SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*) (pShape=0x5600c13980f0, pObj=0x5600c1185420) at sw/source/core/doc/textboxhelper.cxx:1253
#12 0x00007f937a6da577 in SwTextBoxHelper::synchronizeGroupTextBoxProperty(bool (*)(SwFrameFormat*, SdrObject*), SwFrameFormat*, SdrObject*)
    (pFunc=0x7f937a6d73c0 <SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*)>, pFormat=0x5600c13980f0, pObj=0x5600c1185420) at sw/source/core/doc/textboxhelper.cxx:1587
#13 0x00007f937a6da553 in SwTextBoxHelper::synchronizeGroupTextBoxProperty(bool (*)(SwFrameFormat*, SdrObject*), SwFrameFormat*, SdrObject*)
    (pFunc=0x7f937a6d73c0 <SwTextBoxHelper::changeAnchor(SwFrameFormat*, SdrObject*)>, pFormat=0x5600c13980f0, pObj=0x5600c1024b10) at sw/source/core/doc/textboxhelper.cxx:1583
#14 0x00007f937ace2ca7 in SwFlyCntPortion::SetBase(SwTextFrame const&, Point const&, long, long, long, long, AsCharFlags)
    (this=0x5600c16e56f0, rFrame=..., rBase=Point = {...}, nLnAscent=224, nLnDescent=52, nFlyAsc=224, nFlyDesc=52, nFlags=(AsCharFlags::UlSpace | AsCharFlags::Init)) at sw/source/core/text/porfly.cxx:374
#15 0x00007f937ace31b5 in sw::DrawFlyCntPortion::Create(SwTextFrame const&, SwFrameFormat const&, Point const&, long, long, long, long, AsCharFlags)
    (rFrame=..., rFormat=..., rBase=Point = {...}, nLnAscent=224, nLnDescent=52, nFlyAsc=224, nFlyDesc=52, nFlags=AsCharFlags::None) at sw/source/core/text/porfly.cxx:305
#16 0x00007f937acc0cc1 in SwTextFormatter::NewFlyCntPortion(SwTextFormatInfo&, SwTextAttr*) const (this=0x7ffe6ac97888, rInf=..., pHint=0x5600c1206b10) at sw/source/core/text/itrform2.cxx:3018
#17 0x00007f937ad605a4 in SwTextFormatter::NewExtraPortion(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/txtfld.cxx:371
#18 0x00007f937acb76da in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >)
    (this=0x7ffe6ac97888, rInf=..., oMovedFlyIndex=std::optional<o3tl::strong_int<int, Tag_TextFrameIndex>> [no contained value]) at sw/source/core/text/itrform2.cxx:1737
#19 0x00007f937acb3ed2 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:440

but this same object is used here:
#0  SwAnchoredObject::GetObjRectWithSpaces() const (this=0x5600c10ec0a0) at sw/source/core/layout/anchoredobject.cxx:563
#1  0x00007f937ad65750 in SwTextFly::ForEach(SwRect const&, SwRect*, bool) const (this=0x7ffe6ac97790, rRect=SwRect = {...}, pRect=0x7ffe6ac94b18, bAvoid=true) at sw/source/core/text/txtfly.cxx:1100
#2  0x00007f937ad6541b in SwTextFly::GetFrame_(SwRect const&) const (this=0x7ffe6ac97790, rRect=SwRect = {...}) at sw/source/core/text/txtfly.cxx:382
#3  0x00007f937ac9529e in SwTextFly::GetFrame(SwRect const&) const (this=0x7ffe6ac97790, rRect=SwRect = {...}) at sw/source/core/inc/txtfly.hxx:371
#4  0x00007f937acb1ecc in SwTextFormatter::CalcFlyWidth(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:2753
#5  0x00007f937acb7f5c in SwTextFormatter::NewPortion(SwTextFormatInfo&, std::optional<o3tl::strong_int<int, Tag_TextFrameIndex> >)
    (this=0x7ffe6ac97888, rInf=..., oMovedFlyIndex=std::optional<o3tl::strong_int<int, Tag_TextFrameIndex>> [no contained value]) at sw/source/core/text/itrform2.cxx:1859
#6  0x00007f937acb3ed2 in SwTextFormatter::BuildPortions(SwTextFormatInfo&) (this=0x7ffe6ac97888, rInf=...) at sw/source/core/text/itrform2.cxx:440

Repro on Linux with 7.4.0.3 with signature "SwAnchoredObject::GetObjRectWithSpaces() const": https://crashreport.libreoffice.org/stats/crash_details/71fb341f-e183-4339-9495-d1b7da48e1c1

However, no crash anymore on Windows nor on Linux.

For all 3 files shared here, crash in master of linux-64-7.4 repo, but no crash in oldest of linux-64-7.5. So couldn't bibisect any fix.

Can someone else confirm that the files don't crash on opening anymore?

On pc Debian x86-64 with master sources updated today or with LO Debian package 24.2.03, I don't reproduce the crash anymore with minimal version reproducer or with the 2 files in initial attached zip.

OK, thanks Julien, let's close as "works for me".