bytes has integer overflow in BytesMut::reserve
Details In the unique reclaim path of BytesMut::reserve, the condition if v_capacity >= new_cap + offset uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is …