hey, r1ch, it's squeaky.
worm pointed out that your memory management debug code (he mentioned z_buggygame in particular) has helped stability a lot. i looked at your code, and i thought i might lend advice from my experience in systems development.
i'm looking at lines 1790 and 1929 of qcommon/common.c, where you check the tail of an allocated block, and your comments worry about a possible segfault if your zhead_t.size puts the pointer in random space. since this code is on the topic of excessive debug checks, you ought to know that there are ways to make sure a particular page is actually mapped -- effectively testing for whether a particular read of memory will initiate a segfault or not.
the method is different between windows and linux. on linux, you should look at the msync and write system calls. as i recall, a call like msync(addr, length, 0) will return 0 if the range is mapped, and -1 with errno=ENOMEM if the range isn't mapped. this requires that addr and length be a multiple of the system page size -- see getpagesize. alternatively a write(fd, addr, length) will return -1 with errno=EFAULT if the range isn't mapped. this is a little hackier, and requires you to have a valid file descriptor open for writing (opening /dev/null is a safe bet).
on windows, i have no experience, but initial searches on msdn.net point to the VirtualQuery function, which should directly query your access permissions on an address range. like the unix msync call, you need to page-align your start address and length.
i was about to suggest also using gnu backtrace, but i see you've already beaten me to the punch!
i like the progress you've made so far. you'll still never convince me on the issue of authenticated clients, but i really like everything you've done in the engine