avro: Bound and validate decoding against malformed input (#36986)

Hardens the `mz-avro` decoder against adversarial input (Avro
bytes/schemas arrive from Kafka and an external registry, so a panic/OOM
is an availability bug): bound per-block array/map lengths and object
counts by remaining input, cap object-container block byte length, bound
schema-parse/value-decode recursion, and fix two schema-resolution
panics on unmatched named types.

Found by the cargo-fuzz suite ([separate infra
PR](#36982)). Each fix
has a regression test.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: def-