merkle_block: add resource limit check during deserialization

[apoelstra]

Fixes #2606

[apoelstra]

I don't think this method is used except by applications implementing the p2p protocol (and I am not aware of any, at least not major ones) so I don't believe we need to bend over backward to contact or patch anybody.

But we should backport to all version back to 0.28 which is the oldest version I think is in wide use.

[coveralls]

Pull Request Test Coverage Report for Build 8318744357

Details

• 19 of 19 (100.0%) changed or added relevant lines in 1 file are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage increased (+0.01%) to 83.834%

---

Totals
Change from base Build 8318043190:	0.01%
Covered Lines:	19769
Relevant Lines:	23581

---

💛 - Coveralls

[apoelstra]

Fuzzed deserialization of MerkleBlock for 30 minutes so for with this PR. Will let it run overnight.

[tcharding]

ACK f1dcfab

Super cool to see this fixed.

[apoelstra]

Fuzzing has passed for 14.5 hours now (on a 32-core machine).

[tcharding]

Does that make it well and truly fu**ed?

[apoelstra]

Does that make it well and truly fu**ed?

It means that the fix works. (Though we may want to tighten it; I think MAX_VEC_SIZE is orders of magnitude larger than we need....but I also want something that's obviously sufficient so we can merge this quickly. We can tighten it later.)

[tcharding]

Ugh, sorry man - that was a joke (I literally had "(joke)" after it at first and removed it. fuzzed == fu**ed and the other interpretation. Too smart for my own good :)

[apoelstra]

Oh, lol :) I missed the pun.

[sanket1729]

ACK f1dcfab