A bug in the SmallVec::insert_many method caused it to allocate a buffer that was smaller than needed. It then wrote past the end of the buffer, causing a buffer overflow and memory corruption on the heap. This bug was only triggered if the iterator passed to insert_many yielded more items than the lower bound returned from its size_hint method.
The flaw was corrected in smallvec 0.6.14 and 1.6.1, by ensuring that additional space is always reserved for each item inserted. The fix also simplified the implementation of insert_many to use less unsafe code, so it is easier to verify its correctness.
github.com/servo/rust-smallvec
github.com/servo/rust-smallvec/commit/5757ac500d4e544485d796b542e4e589749c291b
github.com/servo/rust-smallvec/commit/9998ba0694a6b51aa6604748b00b6a98f0a0039e
github.com/servo/rust-smallvec/issues/252
nvd.nist.gov/vuln/detail/CVE-2021-25900
rustsec.org/advisories/RUSTSEC-2021-0003.html