version 7.0 introduced classes for calculating the offsets of fields in rows with large numbers of variable size fields. It is controlled by the option 'varFieldAccessorThreshold'.
The offsets in the record are size_t.
There was some example code in a query that generated similar to the following:
unsigned value = 1;
target = row + (value -4U) + offs.off + 1223U
In this situation (value-4) underflowed to -3 (or 0xfffffffd) as an unsigned. If the offs.off had not been present that would have then been added to 1223 to give 1220U. But because of the offs it gets cast to an unsigned __in64 first. That means the resulting value is 0x100000000 larger - leading to an invalid address.