The patch is attached. Array bounds went unchecked in
the menu page operations (, \ ~) This resulted in
memory corruption.
The actual crash depends on your luck actually. It will
only crash if heap headers are corrupted, otherwise it
can go unnoticed. When you do "Du," the list page size
is 18 (on my screen) with only 2 items in the menu. The
program assigned count of -1 to 18 items in the array
of 2. Ka-boom. I put bounds checking code in several
places. The window size does not have anything to do
with it.
<Someone>.
1c562198f5