Avoid trusting the length encoded in the Snapshot if there is an

runtime/vm/native_message_handler.cc

Index: runtime/vm/native_message_handler.cc
===================================================================
--- runtime/vm/native_message_handler.cc	(revision 10993)
+++ runtime/vm/native_message_handler.cc	(working copy)
@@ -46,15 +46,21 @@
     // We currently do not use OOB messages for native ports.
     UNREACHABLE();
   }
+
+  const Snapshot* snapshot = Snapshot::SetupFromBuffer(message->data(),
+                                                       message->len());
+  if (snapshot == NULL || !snapshot->IsMessageSnapshot()) {
+    if (message->IsLocal()) {
+      FATAL("NativeMessageHandler saw malformed message.  Exiting.");
+    }
+    delete message;
+    return true;
+  }
+
   // Enter a native scope for handling the message. This will create a
   // zone for allocating the objects for decoding the message.
   ApiNativeScope scope;
-
-  int32_t length = reinterpret_cast<int32_t*>(
-      message->data())[Snapshot::kLengthIndex];
-  ApiMessageReader reader(message->data() + Snapshot::kHeaderSize,
-                          length,
-                          zone_allocator);
+  ApiMessageReader reader(snapshot, zone_allocator);
   Dart_CObject* object = reader.ReadMessage();
   (*func())(message->dest_port(), message->reply_port(), object);
   delete message;