I just spotted this. svn_stringbuf_insert() contains this:
temp = apr_pstrndup(str->pool, bytes, count); That's wrong for an arbitrary array of bytes, because it will stop copying at the first null byte. Using apr_pmemdup() should fix it. Same in svn_stringbuf_replace(). Inadequate test coverage. It is tested only with non-zero-length strings of ASCII characters. (Another scenario not tested is inserting a string that overlaps the existing string and starts or ends at the existing string's start or end or end-plus-null.) - Julian
