Currently all the public API(except the pointer-like API) in CPubKey that sets/constructs a pubkey goes through CPubKey::Set which checks if that the length and size match and if not invalidates the key.
This adds the same check to CPubKey::Unserialize, sadly I don't see an easy way to just push this to the existing checks in CPubKey::Set but it's only a simple condition.
The problem with not invalidating is that if you write a pubkey like: {0x02,0x00} it will think the actual length is 33(because of size()) and will access uninitialized memory if you call any of the functions on CPubKey.
This is a backport of core#19237