There's certainly a contrast between the "Oops a huge file causes a runtime failure" reported for that crate and a bunch of "Oops we have bounds misses" in C. I wonder how hard anybody worked on trying to exploit the bounds misses to get code execution. It may or may not be impossible to achieve that escalation.
But it does apply to the bzip2 crate, which is the topic of discussion. Its new pure-rust implementation is libbz2-rs-sys, not bzip2-rs. The last sentence is irrelevant.
Ironically there is one CVE reported in the bzip2 crate
[1] https://app.opencve.io/cve/?product=bzip2&vendor=bzip2_proje...