fix: OOB read in tom_render_*_scanline (closes #127)

ASAN on PR #126 surfaced a global-buffer-overflow read 1 byte past
tomRam8 in tom_render_16bpp_cry_scanline (src/tom/tom.c:625).
Same pattern in all five render variants: the per-pixel loop
walks current_line_buffer (= tomRam8[0x1800], 10240 bytes max)
based on tomWidth, which can be set by display registers to a
value larger than the line buffer holds.

Fix: new helper tom_clamp_line_buffer_width() that, given the
current cursor, the requested width, the per-iteration source-byte
cost (2 for 16bpp, 4 for 24bpp), and the pwidth_scale, returns a
clamped width that guarantees the loop won't read past the end of
tomRam8.

Applied to all five render entry points:
  - tom_render_16bpp_cry_rgb_mix_scanline
  - tom_render_16bpp_cry_scanline      (the one ASAN caught)
  - tom_render_24bpp_scanline
  - tom_render_16bpp_direct_scanline
  - tom_render_16bpp_rgb_scanline

Closes #127.  With this in, the sanitizers CI job should go fully
clean -- candidate to flip continue-on-error: true to false in a
follow-up.

Co-Authored-By: Claude Opus 4.7 <[email protected]>

Author: JoeMatt

src/tom/tom.c

@@ -548,6 +548,29 @@ uint16_t TOMGetMEMCON1(void)
 }
 
 #define LEFT_BG_FIX
+
+/* Clamp `width` so the per-pixel loop in a tom_render_*_scanline()
+ * cannot walk past the end of tomRam8 via current_line_buffer.
+ * Catches an ASAN-reported OOB read (#127): when display registers
+ * request a width larger than the on-chip line buffer holds
+ * (10240 bytes at tomRam8[0x1800..0x3FFF]).
+ *
+ *   bytes_per_iter: source bytes consumed per loop iter (2 for 16bpp
+ *                   variants, 4 for 24bpp).
+ *   pwidth_scale:   backbuffer pixels produced per loop iter. */
+static uint16_t tom_clamp_line_buffer_width(
+   const uint8_t *current_line_buffer, uint16_t width,
+   unsigned bytes_per_iter, uint8_t pwidth_scale)
+{
+   const uint8_t *lb_end = &tomRam8[sizeof(tomRam8)];
+   unsigned long bytes_left;
+   unsigned long safe_width;
+   if (current_line_buffer >= lb_end) return 0;
+   bytes_left = (unsigned long)(lb_end - current_line_buffer);
+   safe_width = (bytes_left / bytes_per_iter) * pwidth_scale;
+   return (width > safe_width) ? (uint16_t)safe_width : width;
+}
+
 // 16 BPP CRY/RGB mixed mode rendering
 void tom_render_16bpp_cry_rgb_mix_scanline(uint32_t * backbuffer)
 {
@@ -579,6 +602,7 @@ void tom_render_16bpp_cry_rgb_mix_scanline(uint32_t * backbuffer)
    backbuffer += 2 * startPos, width -= startPos;
 #endif
 
+   width = tom_clamp_line_buffer_width(current_line_buffer, width, 2, pwidth_scale);
    while (width >= pwidth_scale)
    {
       uint16_t color = (*current_line_buffer++) << 8;
@@ -620,6 +644,7 @@ void tom_render_16bpp_cry_scanline(uint32_t * backbuffer)
    backbuffer += 2 * startPos, width -= startPos;
 #endif
 
+   width = tom_clamp_line_buffer_width(current_line_buffer, width, 2, pwidth_scale);
    while (width >= pwidth_scale)
    {
       uint16_t color = (*current_line_buffer++) << 8;
@@ -661,6 +686,7 @@ void tom_render_24bpp_scanline(uint32_t * backbuffer)
    backbuffer += 2 * startPos, width -= startPos;
 #endif
 
+   width = tom_clamp_line_buffer_width(current_line_buffer, width, 4, pwidth_scale);
    while (width >= pwidth_scale)
    {
       uint32_t b;
@@ -687,6 +713,7 @@ void tom_render_16bpp_direct_scanline(uint32_t * backbuffer)
    uint8_t pwidth = ((GET16(tomRam8, VMODE) & PWIDTH) >> 9) + 1;
    uint8_t pwidth_scale = (pwidth >= 8) ? (pwidth / 4) : 1;
 
+   width = tom_clamp_line_buffer_width(current_line_buffer, width, 2, pwidth_scale);
    while (width >= pwidth_scale)
    {
       uint16_t color = (*current_line_buffer++) << 8;
@@ -729,6 +756,7 @@ void tom_render_16bpp_rgb_scanline(uint32_t * backbuffer)
    backbuffer += 2 * startPos, width -= startPos;
 #endif
 
+   width = tom_clamp_line_buffer_width(current_line_buffer, width, 2, pwidth_scale);
    while (width >= pwidth_scale)
    {
       uint32_t color = (*current_line_buffer++) << 8;