Fix bugs found in security audit: overflow, unchecked malloc, div-by-zero

- sc_gfx_resize (Bug 1): add integer overflow guard before realloc
  matching the existing check in sc_gfx_init
- _sc_font_cache_glyph (Bug 2): reject glyphs wider than atlas
  (gw > SC_FONT_ATLAS_W) to prevent heap buffer overflow from
  memcpy past row boundary
- Vulkan backend (Bug 4): add NULL checks for all 6 unchecked
  malloc/calloc calls (fmt list, swapchain arrays, phys array,
  queue family props) — return VK_ERROR_OUT_OF_HOST_MEMORY or
  SC_ERR_OOM on failure
- Layout SPACE_AROUND (Bug 6): add nc_in/nc > 0 guard to prevent
  division by zero in both single-line and multi-line paths
- sc_font.h: document ASCII-only limitation (UTF-8 not decoded)

Author: amalxloop

backends/sc_backend_vulkan.h

@@ -417,6 +417,7 @@ static VkResult _sc_vk_create_swapchain(VkDevice dev, VkPhysicalDevice phy,
     u32 fmt_count;
     vkGetPhysicalDeviceSurfaceFormatsKHR(phy, surface, &fmt_count, NULL);
     VkSurfaceFormatKHR *fmts = (VkSurfaceFormatKHR*)malloc(fmt_count * sizeof(VkSurfaceFormatKHR));
+    if (!fmts) return VK_ERROR_OUT_OF_HOST_MEMORY;
     vkGetPhysicalDeviceSurfaceFormatsKHR(phy, surface, &fmt_count, fmts);
 
     VkSurfaceFormatKHR sf = fmts[0];
@@ -454,6 +455,13 @@ static VkResult _sc_vk_create_swapchain(VkDevice dev, VkPhysicalDevice phy,
     *out_images = (VkImage*)malloc(*out_len * sizeof(VkImage));
     *out_views  = (VkImageView*)malloc(*out_len * sizeof(VkImageView));
     *out_fbos   = (VkFramebuffer*)malloc(*out_len * sizeof(VkFramebuffer));
+    if (!*out_images || !*out_views || !*out_fbos) {
+        free(*out_images); free(*out_views); free(*out_fbos);
+        *out_images = NULL; *out_views = NULL; *out_fbos = NULL;
+        vkDestroySwapchainKHR(dev, *out_swap, NULL);
+        *out_swap = VK_NULL_HANDLE; *out_len = 0;
+        return VK_ERROR_OUT_OF_HOST_MEMORY;
+    }
     vkGetSwapchainImagesKHR(dev, *out_swap, out_len, *out_images);
 
     for (u32 i = 0; i < *out_len; i++) {
@@ -731,6 +739,7 @@ SCResult sc_vulkan_init(SCGfxContext *ctx, const SCGfxDesc *desc,
     vkEnumeratePhysicalDevices(s->instance, &phy_count, NULL);
     if (phy_count == 0) { sc_vulkan_shutdown(ctx); return SC_ERR_GFX; }
     VkPhysicalDevice *phys = (VkPhysicalDevice*)malloc(phy_count * sizeof(VkPhysicalDevice));
+    if (!phys) { sc_vulkan_shutdown(ctx); return SC_ERR_OOM; }
     vkEnumeratePhysicalDevices(s->instance, &phy_count, phys);
     s->phy_dev = phys[0];
     for (u32 i = 0; i < phy_count; i++) {
@@ -747,6 +756,7 @@ SCResult sc_vulkan_init(SCGfxContext *ctx, const SCGfxDesc *desc,
     vkGetPhysicalDeviceQueueFamilyProperties(s->phy_dev, &qf_count, NULL);
     VkQueueFamilyProperties *qf = (VkQueueFamilyProperties*)malloc(
         qf_count * sizeof(VkQueueFamilyProperties));
+    if (!qf) { sc_vulkan_shutdown(ctx); return SC_ERR_OOM; }
     vkGetPhysicalDeviceQueueFamilyProperties(s->phy_dev, &qf_count, qf);
 
     u32 gfx_idx = UINT32_MAX;

include/sc_font.h

@@ -5,6 +5,9 @@
  * Each SCFont represents one font face at a specific pixel size.
  * Glyphs are lazily rendered and cached in a packed atlas texture.
  *
+ * NOTE: Only ASCII (U+0000–U+007F) is supported for text rendering.
+ *       Multi-byte UTF-8 sequences are not decoded.
+ *
  * #define SC_FONT_IMPLEMENTATION
  * #include "sc_font.h"
  */
@@ -97,6 +100,12 @@ static SCFontGlyph *_sc_font_cache_glyph(SCFont *font, u32 codepoint) {
         return g;
     }
 
+    /* Reject glyph wider than the atlas (would overflow row) */
+    if ((u32)gw > SC_FONT_ATLAS_W) {
+        stbtt_FreeBitmap(bitmap, NULL);
+        return NULL;
+    }
+
     /* Pack into atlas (simple row-based packer) */
     if (font->atlas_cursor_x + (u32)gw > SC_FONT_ATLAS_W) {
         font->atlas_cursor_x = 0;

include/sc_gfx.h

@@ -692,6 +692,7 @@ void sc_gfx_set_rasterize(SCGfxContext *ctx, bool enable) {
 
 SCResult sc_gfx_resize(SCGfxContext *ctx, u32 width, u32 height) {
     if (!ctx || width == 0 || height == 0) return SC_ERR_INVALID_ARG;
+    if (height > (SIZE_MAX / 4) / width) return SC_ERR_INVALID_ARG;
 #ifdef SC_GFX_BACKEND_VULKAN
     if (ctx->backend == SC_BACKEND_VULKAN) {
         return sc_vulkan_resize(ctx, width, height);

include/sc_layout.h

@@ -381,7 +381,7 @@ static void _sc_layout_distribute(SCLayoutTree *t, i32 idx,
                 case SC_JUSTIFY_SPACE_BETWEEN: cursor = pad_start_main;
                     igap = (nc_in > 1) ? line_free / (f32)(nc_in - 1) : 0;
                     igap += s->gap; break;
-                case SC_JUSTIFY_SPACE_AROUND:  igap = line_free / (f32)nc_in;
+                case SC_JUSTIFY_SPACE_AROUND:  igap = (nc_in > 0) ? line_free / (f32)nc_in : 0;
                     cursor = pad_start_main + igap * 0.5f; igap += s->gap; break;
             }
 
@@ -454,7 +454,7 @@ static void _sc_layout_distribute(SCLayoutTree *t, i32 idx,
             case SC_JUSTIFY_SPACE_BETWEEN: cursor = pad_start_main;
                 igap = (nc > 1) ? free_space / (f32)(nc-1) : 0;
                 igap += s->gap; break;
-            case SC_JUSTIFY_SPACE_AROUND:  igap = free_space / (f32)nc;
+            case SC_JUSTIFY_SPACE_AROUND:  igap = (nc > 0) ? free_space / (f32)nc : 0;
                 cursor = pad_start_main + igap*0.5f; igap += s->gap; break;
         }