assert in malloc.h at realloc

Take the 0.12.0ubuntu2 lxcfs source, build it on i386, run it (say lxcfs /var/lib/lxcfs), then run the tests/test_proc script (cd tests; sudo ./test_proc). The assertion

  assert ((old_top == initial_top (av) && old_size == 0) ||
          ((unsigned long) (old_size) >= MINSIZE &&
           prev_inuse (old_top) &&
           ((unsigned long) old_end & pagemask) == 0));

is triggered. A rebuild with some printfs shows that:

old_top 3063975608 inittop 3063939136 old_size 24
minsize 16
previnuse yes
old_end 3063975632 pagemask 4095 mask 3792

Just catting the proc/meminfo file triggers:

[New Thread 0xb73ffb40 (LWP 14303)]
*** Error in `/home/ubuntu/orig/lxcfs-0.12/lxcfs': realloc(): invalid next size: 0xb7420978 ***

The lxcfs code which is triggering this is:

static void append_line(char **contents, char *line, size_t *len)
{
        size_t newlen = *len + strlen(line);
        if (!*contents) {
                do {
                        *contents = malloc(*len + 1);
                } while (!*contents);
        } else {
                char *tmp;
                do {
                        tmp = realloc(*contents, newlen + 1);
                } while (!tmp);
                *contents = tmp;
        }
        strcpy(*contents + *len, line);
        *len = newlen;
}

gdb shows reasonable values for *len, newlen, and *contents and line.

I'm working around it by increasing the size by which we realloc, which seems to work fine, although it seems like that cannot be the root cause since a simple reproducer doesn't work to reproduce this.