Zstd bomb fix

[mzabaluev]

Fixes #876 (but see outstanding issues below), #1008.

Dependencies

movementlabsxyz/aptos-core#111

Summary

• Categories: protocol-units.

Use streamed decompression API to avoid potentially huge allocations
for blob data decompressed from zstd. The bcs decoder enforces the
length limit of 2^31 - 1 on byte arrays.

Changelog

• Prevent unlimited memory allocations in decoding compressed blobs from the DA.

Testing

Added unit tests to movement-celestia-da-util to exercise compression and decompression,
with supercritical and valid lengths for compressed payload and the data field. The test creating legit data structures with super-long blobs is ignored in default runs because of the memory and processing requirements.

Outstanding issues

As commented in #876 (comment), there are four byte array fields in the blob data structure that can each be bloated up to 2 GiB.

[l-monninger]

Do you know how fill_buf would be called here? I wondering if this in fact going to raise an Error or whether it might just panic if the buffer size is restricted.

[mzabaluev]

I don't think I fully understand this question, and we didn't restrict the size of the internal buffer.
But you did bring to my attention that the slice also supports BufRead and we can take advantage of it, bypassing the intermediate buffer.

[mzabaluev]

Yes, bcs would return an Error.

I have implemented a customizable limit on length of any variable-length fields in zefchain/bcs#12.

[l-monninger]

It looks like there was a simple container conflict.

I still have same reservation that we can effectively still be zstd bombed because the block processing time would exceed 10 seconds from the cases we've talked about offline. But, I will approve for now and we can revisit later.