It turns out that locate will *always* go past the end of the buffer due to the missing length checks. Usually this is not a problem as mmap returns page-sized buffers. But if the length of the buffer is an even multiple of the page size it will dereference an address outside the buffer and crash. In this case, the buffer in question is 20885504 bytes long which is 5099 4K pages.
- todd
