I already talked with the upstream author and we figured a possible problem due to an non-locked use of the core function. The cause of this is
unsigned char *tmpval = ec->mem + ec->memlocation; *tmpval = (*tmpval + 1) & 0xff; ec->memlocation = ec->memlocation + ec->memblocksize - 1; ec->memlocation = ec->memlocation % wrap;
which is non-atomic and will thus leads to the out-of-bounds deref. The EC object may only be used by one thread at a time.