Crash when browsing this url

[Ghost-Fellow]

1. To reproduce the bug
   Ask my wife to shop on-line ;-)
   This page
   http://www.c-and-a.com/fr/fr/shop/femme/looks-tendances/coton-bio/toute-la-collection
   triggered the bug. (should be reproducible, reload if not)
2. Versions used.
   On debian wheezy - git version - on an armel architecture.
   On debian jessie - git version - on an armel architecture.
   Reproduced on my laptop (x64) - wheezy.
3. Valgrind log and gdb back trace.

==5475== Memcheck, a memory error detector
==5475== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==5475== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==5475== Command: /home/ghost/local/src/polipo/polipo -c /home/ghost/local/src/polipo-test/polipo.conf forbiddenFile=/home/ghost/local/src/polipo-test/forbidden forbiddenTunnelsFile=Tunnels
==5475== 
==5475== Invalid read of size 8
==5475==    at 0x428A79: httpServerDirectHandlerCommon (server.c:2597)
==5475==    by 0x428F06: httpServerDirectHandler2 (server.c:2681)
==5475==    by 0x406E9F: do_scheduled_stream (io.c:245)
==5475==    by 0x405E71: pokeFdEventHandler (event.c:569)
==5475==    by 0x405C12: runTimeEventQueue (event.c:492)
==5475==    by 0x4060BA: eventLoop (event.c:654)
==5475==    by 0x4151CF: main (main.c:167)
==5475==  Address 0x52574c8 is 24 bytes inside a block of size 120 free'd
==5475==    at 0x4C27D4E: free (vg_replace_malloc.c:427)
==5475==    by 0x424FA4: httpServerFinish (server.c:1315)
==5475==    by 0x4254E2: httpServerRestart (server.c:1461)
==5475==    by 0x42622F: httpServerHandler (server.c:1742)
==5475==    by 0x406E9F: do_scheduled_stream (io.c:245)
==5475==    by 0x405E71: pokeFdEventHandler (event.c:569)
==5475==    by 0x405C12: runTimeEventQueue (event.c:492)
==5475==    by 0x4060BA: eventLoop (event.c:654)
==5475==    by 0x4151CF: main (main.c:167)
==5475== 
==5475== 
==5475== ---- Attach to debugger ? --- [Return/N/n/Y/y/C/c] ---- 
==5475== starting debugger with cmd: /usr/bin/gdb -nw /proc/5484/fd/1024 5484
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /proc/5484/fd/1024...done.
Attaching to program: /proc/5484/fd/1024, process 5484
Reading symbols from /usr/lib/valgrind/vgpreload_core-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_core-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_core-amd64-linux.so
Reading symbols from /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...Reading symbols from /usr/lib/debug/usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so...done.
done.
Loaded symbols for /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
Reading symbols from /lib/x86_64-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libc-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libc.so.6
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib64/ld-linux-x86-64.so.2
Reading symbols from /lib/x86_64-linux-gnu/libnss_files.so.2...Reading symbols from /usr/lib/debug/lib/x86_64-linux-gnu/libnss_files-2.13.so...done.
done.
Loaded symbols for /lib/x86_64-linux-gnu/libnss_files.so.2
Failed to read a valid object file image from memory.
0x0000000000428a79 in httpServerDirectHandlerCommon (kind=2, status=-65540, event=0x52d6c40, srequest=0x52d6c60)
    at server.c:2597
2597        HTTPRequestPtr request = connection->request;
(gdb) bt
#0  0x0000000000428a79 in httpServerDirectHandlerCommon (kind=2, status=-65540, event=0x52d6c40, srequest=0x52d6c60)
    at server.c:2597
#1  0x0000000000428f07 in httpServerDirectHandler2 (status=-65540, event=0x52d6c40, srequest=0x52d6c60)
    at server.c:2681
#2  0x0000000000406ea0 in do_scheduled_stream (status=-65540, event=0x52d6c40) at io.c:245
#3  0x0000000000405e72 in pokeFdEventHandler (tevent=0x52d6e20) at event.c:569
#4  0x0000000000405c13 in runTimeEventQueue () at event.c:492
#5  0x00000000004060bb in eventLoop () at event.c:654
#6  0x00000000004151d0 in main (argc=5, argv=0x7ff000238) at main.c:167
(gdb) p *connection
$1 = {flags = 0, fd = -1, buf = 0x0, len = 0, offset = 932, request = 0x0, request_last = 0x0, serviced = 4, 
  version = 1, time = 1444809708, timeout = 0x0, te = 0, reqbuf = 0x0, reqlen = 27044, reqbegin = 0, reqoffset = 0, 
  bodylen = -1, reqte = 0, chunk_remaining = -1, server = 0x52571c0, pipelined = 0, connecting = 0}
(gdb) p sizeof(*connection)
$2 = 120