For the bug details see the writeup.
The integer underflow in the memcpy size exceeds the size of the memory in the source buffer.
Thus the firmware crashes once an unmapped memory page is accessed.
memcpy uses r1 as register for the source address.
In the register dump it can bee seen that r1 just passed the page boundary and is now in unmapped memory.