[Dart] runtime crashes on malformed reference metadata instead of rejecting it cleanly

[miantalha45]

Search before asking

• I had searched in the issues and found no similar issues.

Version

0.17.0

Component(s)

Other

Minimal reproduce step

Just run this test script for reproducing the issue:

import 'package:fory/src/config.dart';
import 'package:fory/src/context/meta_string_reader.dart';
import 'package:fory/src/context/ref_reader.dart';
import 'package:fory/src/context/ref_writer.dart';
import 'package:fory/src/memory/buffer.dart';
import 'package:fory/src/resolver/type_resolver.dart';
import 'package:test/test.dart';

void main() {
  test('RefReader.readRefOrNull does not throw for an out-of-range ref id',
      () {
    final reader = RefReader();
    final buffer = Buffer();

    buffer.writeByte(RefWriter.refFlag);
    buffer.writeVarUint32(9999);
    bufferSetReaderIndex(buffer, 0);

    expect(
      () => reader.readRefOrNull(buffer),
      returnsNormally,
    );
  });

  test(
      'MetaStringReader.readMetaString does not throw for a negative ref index',
      () {
    final reader = MetaStringReader(TypeResolver(const Config()));
    final buffer = Buffer();

    buffer.writeVarUint32Small7(1);
    bufferSetReaderIndex(buffer, 0);

    expect(
      () => reader.readMetaString(buffer),
      returnsNormally,
    );
  });
}

What did you expect to see?

I expected the Dart runtime to reject the malformed reference data cleanly, without throwing a RangeError or crashing.
For the ref test, I expected readRefOrNull to handle an out-of-range ref id safely.
For the meta-string test, I expected readMetaString to handle the crafted reference header safely instead of indexing -1.

What did you see instead?

The current Dart runtime throws RangeError for both cases.
RefReader.readRefOrNull indexes _refs[id] directly when the ref flag is set, so a large ref id like 9999 fails with an out-of-range error.
MetaStringReader.readMetaString computes length - 1 for a reference header, so header 1 becomes index -1 and fails with a RangeError.

Anything Else?

No response

Are you willing to submit a PR?

• I'm willing to submit a PR!

[miantalha45]

@chaokunyang Here is the output of these tests:

> dart test test/security_test.dart
Resolving dependencies in `/Users/talhaamjad/Documents/GSOC/fory/dart`... 
Downloading packages... 
Got dependencies in `/Users/talhaamjad/Documents/GSOC/fory/dart`.
Resolving dependencies in `/Users/talhaamjad/Documents/GSOC/fory/dart`... 
Downloading packages... 
Got dependencies in `/Users/talhaamjad/Documents/GSOC/fory/dart`.
00:00 +0 -1: RefReader.readRefOrNull does not throw for an out-of-range ref id [E]                                                                          
  Expected: return normally
    Actual: <Closure: () => int>
     Which: threw RangeError:<RangeError (length): Invalid value: Valid value range is empty: 9999>
  
  package:matcher               expect
  test/security_test.dart 38:5  main.<fn>
  

To run this test again: dart test test/security_test.dart -p vm --plain-name 'RefReader.readRefOrNull does not throw for an out-of-range ref id'
00:00 +0 -2: MetaStringReader.readMetaString does not throw for a negative ref index [E]                                                                    
  Expected: return normally
    Actual: <Closure: () => EncodedMetaString>
     Which: threw RangeError:<RangeError (length): Invalid value: Valid value range is empty: -1>
  
  package:matcher               expect
  test/security_test.dart 53:5  main.<fn>
  

To run this test again: dart test test/security_test.dart -p vm --plain-name 'MetaStringReader.readMetaString does not throw for a negative ref index'
00:00 +0 -2: Some tests failed.                                                                                                                             

Consider enabling the flag chain-stack-traces to receive more detailed exceptions.
For example, 'dart test --chain-stack-traces'.