Comment 32 for bug 401067

Specifically, intel_fb (driDrawPriv->driverPrivate) is the corrupted pointer. It often winds up pointing into libc or what I believe is graphics memory (shows up as "/drm mm object (deleted)" in /proc/<pid>/maps).

Surprisingly this doesn't always lead to a crash because the targeted memory often contains nulls or pointers to valid memory locations in the right places.