[release-branch.go1.13-security] encoding/binary: read at most MaxVarintLen64 bytes in ReadUvarint
    
    This CL ensures that ReadUvarint consumes only a limited
    amount of input (instead of an unbounded amount).
    
    On some inputs, ReadUvarint could read an arbitrary number
    of bytes before deciding to return an overflow error.
    After this CL, ReadUvarint returns that same overflow
    error sooner, after reading at most MaxVarintLen64 bytes.
    
    Fix authored by Robert Griesemer and Filippo Valsorda.
    
    Thanks to Diederik Loerakker, Jonny Rhea, Raúl Kripalani,
    and Preston Van Loon for reporting this.
    
    Fixes CVE-2020-16845
    
    Change-Id: Ie0cb15972f14c38b7cf7af84c45c4ce54909bb8f
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812099
    Reviewed-by: Filippo Valsorda <valsorda@google.com>
    Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/812324