Port TlsFrameHelper bounds-check fixes from dotnet/runtime

[Copilot]

TlsFrameHelper.cs is a fork of the runtime's implementation. The only behavior-changing upstream commit since the YARP copy is dotnet/runtime#126352, which fixes 4 out-of-bounds reads found by SslStreamClientHelloFuzzer against crafted/truncated TLS frames. This PR ports those fixes.

Bounds checks added

• TryParseClientHello / TryParseServerHello — guard p.Length < sizeof(ushort) before ReadUInt16BigEndian(p) for the extension list length. Truncated input with 1 byte remaining after compression methods previously threw ArgumentOutOfRangeException.
• GetSniFromHostNameStruct — guard hostNameStruct.Length < HostNameOffset before reading the host name length.
• TryGetSupportedVersionsFromExtension — guard extensionData.IsEmpty before indexing extensionData[VersionListLengthOffset].

Not ported

• Upstream's helloLength < ProtocolVersionSize check in TryParseHelloFrame is already subsumed by YARP's stricter helloLength < MinimalHandshakeLength (44 > 2).
• Pure-style changes (== false → !, using reordering) and fixes already present in YARP (typos InsufficientSecurity/MaximumFragmentLength, TLS 1.0/1.1 obsoletion pragmas, unified SSL2 framing, ParsingStatus, cipher suite parsing).

Example

// TryParseClientHello, after skipping compression methods:
if (p.IsEmpty) { return true; }

if (p.Length < sizeof(ushort))   // <-- added; was reading past end
{
    return false;
}

int extensionListLength = BinaryPrimitives.ReadUInt16BigEndian(p);