rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution
InlineVec::clear() and SerVec::clear() in rkyv were not panic-safe. Both functions iterate over their elements and call drop_in_place on each, updating self.len only after the loop. If an element's Drop implementation panics during the loop, self.len is left at its original value. A subsequent invocation of clear() on the same container then re-visits the already-freed elements: InlineVec::clear() is called again from InlineVec's own Drop implementation when the value is later dropped. …