Valgrind reports INTERNAL ERROR when a bogus address is passed to execve(argv) or execve(envp) syscall wrapper. That's because ML_(pre_argv_envp)() blindly dereferences address passed by the client program. The syscall wrapper should check at least that the first entry of argv and envp belongs to a valid client memory segment (there needs to be always at least one entry for terminating NULL).
Created attachment 104915 [details] proposed patch
Fixed in SVN r16301.