fix(dart): guard ref and meta-string index reads

[miantalha45]

Why

This PR fixes two out-of-bounds bugs in the Dart runtime that were caused by trusting integer values read directly from the wire.

A malformed payload can provide an invalid reference id or meta-string index, which currently leads to a RangeError instead of a controlled failure. In a server environment, this can be used as a denial-of-service vector by crashing the Dart process with a single crafted packet.

What does this PR do?

Bounds checking in RefReader:

• Added range validation before reading or resolving a ref id.
• This prevents out-of-bounds access when a malicious payload supplies a ref id larger than the current reference table.

Bounds checking in MetaStringReader:

• Added range validation before resolving a dynamic meta-string reference.
• This prevents negative or out-of-range indexing when the header encodes an invalid reference.

Security and regression tests:

• Added focused tests for the malformed ref-id and meta-string-reference cases.
• Added coverage for valid boundary cases to make sure normal edge values still work correctly.

Related issues

Closes #3627

AI Contribution Checklist

• Substantial AI assistance was used in this PR: yes / no
• If yes, I included a completed AI Contribution Checklist in this PR description and the required AI Usage Disclosure.
• If yes, my PR description includes the required ai_review summary and screenshot evidence of the final clean AI review results from both fresh reviewers on the current PR diff or current HEAD after the latest code changes.

Does this PR introduce any user-facing change?

• Does this PR introduce any public API change?
• Does this PR introduce any binary protocol compatibility change?

[miantalha45]

@chaokunyang Have a look on this PR when you have time