psbt: it should fail when there is an extra data

[brunoerg]

We noticed that Bitcoin Core fails due to extra data after PSBT while rust-bitcoin seems not checking it. See: bitcoinfuzz/bitcoinfuzz#43

From @apoelstra:

Yep, you can see that https://docs.rs/bitcoin/0.32.0/src/bitcoin/psbt/mod.rs.html#1197-1200 (a) calls Psbt::deserialize rather than encode::deserialize (PSBT has its own serialization module which does not have any no-trailing-data-checks) and (b) does not do any additional checks.

Definitely from_str should have a max length check. Doesn't look like we have any from_slice type method but if we do then it should also do a check.

[Kixunil]

I'd still like to have a (clearly marked) function that doesn't check.

[apoelstra]

In the consensus::encode module we have a function consensus_decode which takes a reader and doesn't check (since in general there's not a way to tell whether a Read is finished other than trying to keep reading) while there is a deserialize function that takes a &[u8] and does check.

This sounds a bit ad-hoc but it actually matches the user's situation pretty well -- if you have a complete object then it's presumably representable as a slice, while if you are decoding from a stream, you know that trailing-data checks are your responsibility and not any library's.

I think we probably want a similar set of functions for psbt::Deserialize.

[Kixunil]

Yes, that makes sense.