Validate length-delimited sizes before allocation #76
Description
read_bytes/read_string/read_message use read_int32 to obtain the length without validating for negative or overflow values. Negative lengths or very large values can cause invalid allocations or stream desync.
Suggested fix: reject negative sizes, and validate against any remaining LimitedReader limit before allocating/reading. Mirror in async paths.
Refs: lib/reader.mbt, lib/async_reader.mbt.