transpose: Buffer overflow due to integer overflow
Given the function transpose::transpose: fn transpose<T: Copy>(input: &[T], output: &mut [T], input_width: usize, input_height: usize) The safety check input_width * input_height == output.len() can fail due to input_width * input_height overflowing in such a way that it equals output.len(). As a result of failing the safety check, memory past the end of output is written to. This only occurs in release mode since * panics on overflow in debug mode. …