Ah yes. I was doing the wrong kind of overflow check, so I got lucky with the first fix on your initial test case.

There were a few other Int overflow candidates that I also fixed along the way. What needs a deeper look is the handling of arithmetic in the internal module Data.Text.Internal.Size. On a 32-bit machine, it should be fairly easy to overflow those size calculations, but there are cases where you can overflow and at least in theory still have a safe result. For instance:

take 3 (replicate 10 (replicate (maxBound `div` 2) "a"))

I'd be fine with this either throwing an error or returning "aaa", but right now its behaviour is not likely to be so friendly.

The extra checks needed for overflow detection shouldn't have a noticeable performance impact: there's an expensive div-test-and-branch required, but the calculation should only occur once per fused loop (not per iteration).