Thanks for the very timely response!
Would it be worth composing an announcement of this for venues like bugtraq and full-disclosure? Or do you think most lsh users are on lsh-bugs?
On a separate topic, I've been chatting with someone else, and he pointed out that a somewhat different abstraction could be more robust; rather than having an open, visible buffer data structure into which code can directly write, if code is obliged to go through accessor routines you can have just one place where all the bounds-checking is implemented, rather than having to get it right every place that writes into a buffer. Seems to me like it'd be a performance hit worth taking for the benefit.
-Bennett