Unsoundness of `gaussian_blur`

[shinmao]

I consider the gaussian_blur have the unsound implementation in line 32

silicon/src/blur.rs

Lines 23 to 33 in 7837ec8

	pub fn gaussian_blur(image: RgbaImage, sigma: f32) -> RgbaImage {
	let (width, height) = image.dimensions();
	let mut raw = image.into_raw();
	let len = raw.len();
	// fastblur::gaussian_blur only accepts Vec<[u8; 4]>
	unsafe {
	raw.set_len(len / 4);
	let ptr = &mut *(&mut raw as *mut Vec<u8> as *mut Vec<[u8; 4]>);
	gaussian_blur_impl(ptr, width as usize, height as usize, sigma);

Since RgbaImage is a struct with repr(Rust), it means that it has an unstable layout and compiler preserves the right to insert any padding bytes around the fields.
When you cast the raw pointer of it to the pointer of Vec<u8>, it could lead to incorrect data interpretation and uninitialized memory exposure since Vec<u8> expects there are continuous bytes.