Plug: Unbounded buffer accumulation in multipart header parsing causes denial of service

### Summary An Allocation of Resources Without Limits or Throttling vulnerability in `Plug.Conn.read_part_headers/2` allows an unauthenticated attacker to exhaust server memory by sending a crafted `multipart/form-data` request, causing a denial of service. ### Details `Plug.Conn.read_part_headers/2` in `lib/plug/conn.ex` does not obey its `:length` parameter. There is no upper bound on the size of the accumulated buffer. By contrast, the sibling function `read_part_body` has an explicit `byte_size(acc) > length` guard that stops accumulation once a limit is reached. No such guard exists in `read_part_headers`. ### Impact This is a denial-of-service vulnerability. Any application using `Plug.Parsers` with the `:multipart` parser, or calling `Plug.Conn.read_part_headers/2` directly, is affected. An unauthenticated remote attacker can trigger the issue by sending crafted HTTP requests with no special privileges. ### References * Intro Commit: https://github.com/elixir-plug/plug/commit/c52b2f32c90bccd718202bafccb5f95594e30183 * Patch Commit: https://github.com/elixir-plug/plug/commit/d878b42efea9f12b243dc3e362a2ed048a798203