I think Clap has an exploitable vulnerability: https://github.com/clap-rs/clap/issues/1594
They basically transmute arbitrary bytes into
OsStr which on Windows is WTF-8, so they violate the validity invariant for it. I wonder if there are actually any functions using WTF-8 invariants to avoid bounds checks?
<I've pasted wrong link here, sorry>
The good news is that the crate author is very cooperative
Lots of functions in WTF-8 implementation do "find next surrogate, pass everything up to that to str::from_utf8_unchecked" - so this should allow constructing
&str with invalid UTF-8