https://bugs.freedesktop.org/show_bug.cgi?id=21134 has a fairly similar bug, although the exact place from where the crasing memmove() is called differs.