Memory corruption/valgrind warning/crash in move_hole() with ST_UNION

valgrind reports:

==14982== Thread 4:
==14982== Invalid read of size 1
==14982== at 0x40087CA: memmove (mc_replace_strmem.c:765)
==14982== by 0x8366572: Gcalc_result_receiver::move_hole(unsigned int, unsigned int, unsigned int*) (gcalc_tools.cc:438)
==14982== by 0x83679B3: Gcalc_operation_reducer::get_result(Gcalc_result_receiver*) (gcalc_tools.cc:1120)
==14982== by 0x825BED5: Item_func_spatial_operation::val_str(String*) (item_geofunc.cc:1027)
==14982== by 0x82593E2: Item_func_as_wkt::val_str(String*) (item_geofunc.cc:123)
==14982== by 0x81DB7D0: Item::send(Protocol*, String*) (item.cc:5905)
==14982== by 0x8288EB7: select_send::send_data(List<Item>&) (sql_class.cc:1919)
==14982== by 0x8325D07: JOIN::exec() (sql_select.cc:2069)
==14982== by 0x8328723: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2885)
==14982== by 0x83205EE: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==14982== by 0x82BBD1E: execute_sqlcom_select(THD*, TABLE_LIST*) (sql_parse.cc:5082)
==14982== by 0x82B2B22: mysql_execute_command(THD*) (sql_parse.cc:2227)
==14982== by 0x82BE35A: mysql_parse(THD*, char*, unsigned int, char const**) (sql_parse.cc:6083)
==14982== by 0x82B07BE: dispatch_command(enum_server_command, THD*, char*, unsigned int) (sql_parse.cc:1206)
==14982== by 0x82AFC44: do_command(THD*) (sql_parse.cc:904)
==14982== by 0x82ACCBF: handle_one_connection (sql_connect.cc:1177)
==14982== Address 0x593c817 is 1 bytes before a block of size 1,052 alloc'd
==14982== at 0x4005E9E: malloc (vg_replace_malloc.c:236)
==14982== by 0x87868EC: _mymalloc (safemalloc.c:138)
==14982== by 0x8786ECE: _myrealloc (safemalloc.c:254)
==14982== by 0x829A717: String::realloc(unsigned int) (sql_string.cc:90)
==14982== by 0x829B863: String::reserve(unsigned int, unsigned int) (sql_string.cc:691)
==14982== by 0x8366026: Gcalc_result_receiver::add_point(double, double) (gcalc_tools.cc:301)
==14982== by 0x83676C1: Gcalc_operation_reducer::get_result_thread(Gcalc_operation_reducer::res_point*, Gcalc_result_receiver*, int) (gcalc_tools.cc:1037)
==14982== by 0x83677AC: Gcalc_operation_reducer::get_polygon_result(Gcalc_operation_reducer::res_point*, Gcalc_result_receiver*) (gcalc_tools.cc:1068)
==14982== by 0x836798D: Gcalc_operation_reducer::get_result(Gcalc_result_receiver*) (gcalc_tools.cc:1120)
==14982== by 0x825BED5: Item_func_spatial_operation::val_str(String*) (item_geofunc.cc:1027)
==14982== by 0x82593E2: Item_func_as_wkt::val_str(String*) (item_geofunc.cc:123)
==14982== by 0x81DB7D0: Item::send(Protocol*, String*) (item.cc:5905)
==14982== by 0x8288EB7: select_send::send_data(List<Item>&) (sql_class.cc:1919)
==14982== by 0x8325D07: JOIN::exec() (sql_select.cc:2069)
==14982== by 0x8328723: mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) (sql_select.cc:2885)
==14982== by 0x83205EE: handle_select(THD*, st_lex*, select_result*, unsigned long) (sql_select.cc:283)
==14982==

test case:

SELECT AsText( ST_UNION( MultiPolygonFromText(' MULTIPOLYGON( ( ( 9 9 , 7 9 , 1 1 , 9 9 ) ) , ( ( 2 2 , 1 2 , 3 3 , 2 2 , 2 2 ) ) , ( ( 0 0 , 7 5 , 9 6 , 0 0 ) ) , ( ( 7 7 , 5 7, 1 5, 7 1 , 7 7 ) ) ) ') , MultiPolygonFromText(' MULTIPOLYGON( ( ( 2 2 , 2 2 , 1 5 , 2 7 , 2 2 ) ) , ( (0 5, 3 5, 3 0, 0 0, 0 5), ( 1 1 , 2 1 , 2 4, 1 4, 1 1 ) ) ) ') ) );