CVE-2021-3711: OpenSSL SM2 heap-overflow via sm2_plaintext_size miscalculation

A heap buffer overflow in OpenSSL's SM2 decryption (CVE-2021-3711). The sm2_plaintext_size() function in crypto/sm2/sm2_crypt.c computes the required output buffer size using a FIXED overhead formula: overhead = 10 + 2*field_size + md_size. This is WRONG because the ASN.1 INTEGER encoding of the EC point coordinates (C1x and C1y BIGNUMs) can be SHORTER than field_size bytes when the values have leading zeros or are small. An attacker who crafts a malicious ciphertext with intentionally small C1x/C1y INTEGER values (few bytes) but a very large C2 (payload) field will cause sm2_plaintext_size to return a buffer size smaller than the actual decoded C2->length. There is also no bounds check in sm2_decrypt before writing C2->length bytes into ptext_buf.