rkyv: Panic safety bugs in `InlineVec::clear` and `SerVec::clear` enable arbitrary code execution

`InlineVec::clear()` and `SerVec::clear()` in `rkyv` were not panic-safe. Both functions iterate over their elements and call `drop_in_place` on each, updating `self.len` only *after* the loop. If an element's `Drop` implementation panics during the loop, `self.len` is left at its original value. A subsequent invocation of `clear()` on the same container then re-visits the already-freed elements: - `InlineVec::clear()` is called again from `InlineVec`'s own `Drop` implementation when the value is later dropped. - `SerVec::clear()` is called again by `SerVec::with_capacity()` after the user closure returns. ## Technical Impact - **CWE-415 (Double Free):** Heap corruption when element type holds `Box<T>` - **CWE-416 (Use-After-Free):** Memory corruption when element reads from heap during `Drop` Both vulnerabilities are triggerable entirely from safe Rust via `std::panic::catch_unwind` and require no special privileges.