Potential OOM bug/exploit in graphite NBT

[rj00a]

In crates/graphite_binary/src/nbt/decode.rs the read_list function uses Vec::with_capacity(length as _). However, length has no upper bound. I believe malicious input could potentially allocate i32::MAX * sizeof(usize) bytes.

The other read functions are correctly bounded.

[Moulberry]

Should be fixed by aca938b, will leave issue open until confirmation from a second person