Two reasons caused the crash.
1. The buffer pointer is referenced first, then the buffer is reallocated and the original pointer is reused.
2. `gpd->runtime.sbuffer_size` is a `short` and can be clamped to negative values.
I solved these two reasons and added a `NULL` check for more safeness.