The replay database contains a buffer overflow. If the first 513 RTCP packets are lost (or if an evil partner starts the RTCP index at 513 instead of 0) the rdb_add_index() function will attempt to modify memory outside of the rdb_t structure.
I enclose two patches. The first adds a new test case to replay_driver, which at least on my computer crashes with a segmentation fault. The second patch fixes the problem.
(rdbx.c seems to already contain the fix.)