The patch size isn't what is relevant to the crash that's happening here. If you re-read my post, you'll see I never indicated it was.
You fixed part of the problem with your version, but the remaining issue is that mprotect still isn't guaranteed to be called on the correct memory page. You are calling it on the memory page(s) that contain 'address' and 'address + 20
bytes'. Then you are proceeding to write to memory at 'address + offset'. The offset is 181
As I said in my earlier post, you should be calling ProtectMemory with 'address + offset' (not 'address' alone) since that is the memory that is going to need write access. What you have will work up until the offset causes the patch location to cross the page boundary, which is what is happening here.