This issue and vector is similar to [RUSTSEC-2020-0029] of
rgb crate which
mozjpeg depends on.
Affected versions of
mozjpeg crate allow creating instances of any type
T from bytes,
and do not correctly constrain
T to the types for which it is safe to do so.
Examples of safety violation possible for a type
Tcontains a reference type, and it constructs a pointer to an invalid, arbitrary memory address.
Trequires a safety and/or validity invariant for its construction that may be violated.
The issue was fixed in 0.8.19 by using safer types and involving
rgb dependency bump.