fix: prevent heap-buffer-overflow in ve_fontcache_load on truncated buffers

stbtt_InitFont reads num_tables at data+4 (2 bytes). Passing a 4-byte
buffer caused a 1-byte heap-buffer-overflow read (confirmed by ASan),
which corrupted heap metadata and manifested as a process crash at exit
on clang-cl and an apparent startup crash on MSVC.

Two fixes:
1. Add data_size < 6 guard in ve_fontcache_load before calling stbtt_InitFont,
   preventing the out-of-bounds read on any buffer too small for basic header
   parsing.
2. Update the lifecycle test to use a 16-byte zero buffer instead of 4 bytes,
   so the test still exercises the "invalid data consumes slot" path safely.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>

Author: hypernewbie

tests/test_lifecycle.cpp

@@ -76,7 +76,10 @@ UTEST( lifecycle, load_invalid_truncated_buffer_consumes_entry_slot )
 	ve_font_id font_before = ctx.load_file( vefc_test::kRoboto );
 	 ASSERT_GE( font_before, 0 );
 
-	std::vector< uint8_t > bad_buffer = { 0x00, 0x01, 0x02, 0x03 };
+	// Must be >= 6 bytes so stbtt_InitFont can safely read the num_tables
+	// field at data+4 without a heap-buffer-overflow. With all bytes zero,
+	// num_tables=0 so no further reads occur and the function fails cleanly.
+	std::vector< uint8_t > bad_buffer( 16, 0 );
 	ve_font_id bad_font = ve_fontcache_load( &ctx.cache, bad_buffer.data(), bad_buffer.size(), 24.0f );
 	 ASSERT_EQ( -1, bad_font );
 

ve_fontcache.h

@@ -721,7 +721,10 @@ static void ve_fontcache_invalidate_font_from_LRU( ve_fontcache_LRU& LRU, ve_fon
 ve_font_id ve_fontcache_load( ve_fontcache* cache, const void* data, size_t data_size, float size_px )
 {
 	STBTT_assert( cache );
-	if ( !data  ) return -1;
+	if ( !data ) return -1;
+	// stbtt_InitFont reads num_tables at data+4 (2 bytes), so we need >= 6 bytes
+	// to avoid a heap-buffer-overflow read on very small/truncated buffers.
+	if ( data_size < 6 ) return -1;
 
 	// Allocate cache entry.
 	int id = -1;