fix: security bugs: ReadHashSet allocation attack, Unbatcher overflow

[Copilot]

Two independent security bugs, one per commit.

ReadHashSet missing allocation limit (NetworkReaderExtensions.cs)

ReadList and ReadArray both guard against allocation attacks via NetworkReader.AllocationLimit. ReadHashSet was missing this check — a malicious peer can send an arbitrarily large length and force unbounded allocation (DoS).

Unbatcher integer overflow on size prefix (Unbatcher.cs)

DecompressVarUInt returns ulong. The direct cast to int wraps values > int.MaxValue to negative, which silently passes reader.Remaining < size (negative is always less). A malformed batch bypasses size validation entirely.

// Before: silent wraparound
int size = (int)Compression.DecompressVarUInt(reader);

// After: explicit overflow guard
ulong rawSize = Compression.DecompressVarUInt(reader);
if (rawSize > int.MaxValue) { Clear(); throw ...; }
int size = (int)rawSize;

[miwarnec]

@copilot drop the syncdictionary change

[Copilot]

@copilot drop the syncdictionary change

Reverted in revert: drop SyncDictionary.Remove(KeyValuePair) change per review.

[miwarnec]

@copilot add test coverage if its low overhead to our existin gtests

[Copilot]

@copilot add test coverage if its low overhead to our existin gtests

Added in a2f387d:

• TestReadHashSet_LengthIsTooBig — mirrors the existing TestReadList_LengthIsTooBig/TestReadArray_LengthIsTooBig pattern
• GetNextMessage_SizePrefixOverflow_Throws — crafts a batch with a VarUInt size > int.MaxValue and asserts it throws

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 42.22%. Comparing base (b25a14b) to head (a2f387d).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #4115      +/-   ##
==========================================
+ Coverage   42.19%   42.22%   +0.03%     
==========================================
  Files         156      156              
  Lines       15092    15100       +8     
==========================================
+ Hits         6368     6376       +8     
  Misses       8724     8724              

Flag	Coverage Δ
unittests	42.22% <100.00%> (+0.03%)	⬆️
unity-6000.5.0f1	?
unity-6000.5.1f1	42.22% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
Assets/Mirror/Core/Batching/Unbatcher.cs	96.61% <100.00%> (+0.31%)	⬆️
Assets/Mirror/Core/NetworkReaderExtensions.cs	93.03% <100.00%> (+0.10%)	⬆️

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.