fix: consuming v0.9 A2UI JSONL stream

[juan-vgv]

Description

Fixes #867.

Pre-launch Checklist

• I read the Flutter Style Guide recently, and have followed its advice.
• I signed the CLA.
• I read the Contributors Guide.
• I have added sample code updates to the changelog.
• I updated/added relevant documentation (doc comments with ///).

If you need help, consider asking for advice on the #hackers-devrel channel on Discord.

[gemini-code-assist]

Code Review

This pull request introduces logic to handle JSONL separators by tracking whether the last processed event was a JSON message. While this correctly handles whitespace between JSON objects, a potential Denial of Service vulnerability was identified where the buffer could grow indefinitely if followed by a continuous stream of whitespace. A limit on the buffer size for whitespace-only content is recommended to prevent memory exhaustion.

[gemini-code-assist]

The newly introduced logic for handling JSONL separators in the _processBuffer method allows the _buffer to grow indefinitely if a JSON message is followed by a continuous stream of whitespace. When _lastWasJson is true and the buffer contains only whitespace, the code breaks out of the processing loop without clearing or emitting the buffer (lines 136-140). An attacker providing a stream of data can exploit this by sending a valid JSON message followed by an infinite or extremely large amount of whitespace, leading to memory exhaustion and a Denial of Service (DoS) crash of the application.

To remediate this, implement a limit on the maximum amount of whitespace that can be held in the buffer as a separator. If the whitespace-only buffer exceeds a reasonable threshold (e.g., 4KB), it should be cleared or emitted as a TextEvent to prevent unbounded memory growth.

          if (_lastWasJson && _buffer.trim().isEmpty) {
            if (_buffer.length > 4096) {
              _emitText(_buffer);
              _buffer = '';
            } else {
              break;
            }
          }