This bug is in the code that writes out the icon resoure data.
Specifically in this code: https://sourceforge.net/p/nsis/code/HEAD/tree/NSIS/trunk/Source/icon.cpp#l273
The data allocates an array that is the greater of two sizes -- the number of icons in the uninstaller and/or the number of icons in the setup. That's the .order.size().
But later on, only data from the actual icons array is written (icon.size()), with the remainder of the buffer containing potentially uninitialized heap data.
This bug can only be triggered If the number of layers in the uninstaller and installer icon files differ.
We encountered this in our software .. issue here: https://github.com/spesmilo/electrum/commit/570c0aeca39e56c742b77380ec274d178d660c29
Suggested fix: Call ZeroMemory() on that returned group array before using it.
Thanks for fixing! Hurray for reproducible builds!