SmallVec::insert is UB on large arguments

[workingjubilee]

This example fails in miri, you can try it on the Playground:

fn main() {
    use smallvec::{smallvec, SmallVec};

    // This SmallVec can hold up to 4 items on the stack:
    let mut v: SmallVec<[i32; 4]> = smallvec![1, 2, 3, 4];

    // It will automatically move its contents to the heap if
    // contains more than four items:
    v.push(5);

    // SmallVec points to a slice, so you can use normal slice
    // indexing and other methods to access its contents:
    v[0] = v[1] + v[2];
    v.sort();
    v.insert(10, 6);
}

[workingjubilee]

The contract of pointer::add, for reference:

If any of the following conditions are violated, the result is Undefined Behavior:

• Both the starting and resulting pointer must be either in bounds or one byte past the end of the same allocated object.
• The computed offset, in bytes, cannot overflow an isize.
• The offset being in bounds cannot rely on “wrapping around” the address space. That is, the infinite-precision sum must fit in a usize.

[mbrubeck]

This is a regression from #282. It affects versions >= 1.8.1, <= 1.13.1.

[gendx]

FYI, given the UB, I've opened an issue to file a security advisory for this: rustsec/advisory-db#1960.

There are more than 30k crates that transitively depend on smallvec's 1.x branch, and given that a fix is available I think folks who regularly use cargo audit will appreciate that the tooling warns them if they had locked an earlier version.