miantalha45 opened a new pull request, #3629: URL: https://github.com/apache/fory/pull/3629
## Why This PR fixes two out-of-bounds bugs in the Dart runtime that were caused by trusting integer values read directly from the wire. A malformed payload can provide an invalid reference id or meta-string index, which currently leads to a `RangeError` instead of a controlled failure. In a server environment, this can be used as a denial-of-service vector by crashing the Dart process with a single crafted packet. ## What does this PR do? Bounds checking in `RefReader`: - Added range validation before reading or resolving a ref id. - This prevents out-of-bounds access when a malicious payload supplies a ref id larger than the current reference table. Bounds checking in `MetaStringReader`: - Added range validation before resolving a dynamic meta-string reference. - This prevents negative or out-of-range indexing when the header encodes an invalid reference. Security and regression tests: - Added focused tests for the malformed ref-id and meta-string-reference cases. - Added coverage for valid boundary cases to make sure normal edge values still work correctly. ## Related issues Closes #3627 ## AI Contribution Checklist - [ ] Substantial AI assistance was used in this PR: `yes` / `no` - [ ] If `yes`, I included a completed [AI Contribution Checklist](https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs) in this PR description and the required `AI Usage Disclosure`. - [ ] If `yes`, my PR description includes the required `ai_review` summary and screenshot evidence of the final clean AI review results from both fresh reviewers on the current PR diff or current HEAD after the latest code changes. ## Does this PR introduce any user-facing change? - [ ] Does this PR introduce any public API change? - [ ] Does this PR introduce any binary protocol compatibility change? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
