7.8 alpha 2

I just realized that too, but for another reason. In your case it was about a 64-bit access that spilled over a logical boundary (but presumably within the rounded-up size used by malloc) but here it's a single byte being written past a power-of-2 boundary.

Another important clue is that solving the first problems also fixed the fatal crash later. Apparently those tiny writes 1 bytes off are enough to corrupt the malloc structures.

Since the #define and corresponding malloc() is in the Pike source we might be able to call malloc(DEFAULT_BUF_SIZE + 17) (and similar for realloc), but who knows if for other input libjpeg will access even greater offsets?