primitives: further tighten memory allocations in witness decoder

[nyonson]

A follow up from #5239 to improve how WitnessDecoder::resize_if_needed caps its memory allocation. Original comments from @apoelstra:

I also think that somewhere we should be capping required_len to 20 Mb, which I think is the maximum amount it can be for a valid witness (one with 4 million entries, 3999999 of which are 0-length and the other one 4 million bytes).

and

This can overflow on a 16-bit machine. We should clamp new_len to usize::MAX

This may be influenced by what direction @jrakibi takes in #5177.

[jrakibi]

can this be closed? #5298 has been merged

[nyonson]

can this be closed? #5298 has been merged

Do we need to add a usize::MAX cap to resize_if_needed (the second point in the issue)? Or was that addressed in #5298 else where and I missed it...

[apoelstra]

Looks like it was addressed. The comment was about an unchecked * multiplication by 2, but the new code has no unchecked arithmetec which can overflow (at least, if it does, it's as a result of some different and much more subtle logic bug).