gfx/drivers/metal: NULL-check _viewport and video_shader callocs in init and shader load paths

Two unchecked C allocs in metal.m that NULL-deref downstream
on OOM.  The Metal driver is predominantly ARC-managed
Objective-C, but these two heap-allocated C structs survive
outside the ARC object graph and had no NULL handling.

=== MetalDriver initWithVideo: _viewport calloc ===

The MetalDriver class exposes a 'viewport' property whose
backing ivar is a video_viewport_t* allocated at init time:

    @Property (nonatomic, readwrite) video_viewport_t *viewport;
    ...
    _viewport = (video_viewport_t *)calloc(1, sizeof(video_viewport_t));
    _viewportMVP.projectionMatrix = matrix_proj_ortho(0, 1, 0, 1);

The calloc was unchecked.  Two later paths dereference the
pointer:

  1. Context's setViewport: handler (Context is the MetalDriver's
     _context ivar) does

         _viewport = *viewport;

     - unconditional dereference.  MetalDriver
     assigns to _context.viewport via the property setter in
     setVideoMode / show_mouse / frame, which would crash on a
     NULL _viewport.

  2. FrameView also holds a video_viewport_t *_viewport ivar,
     assigned from MetalDriver's _viewport via
     _frameView.viewport = _viewport.  FrameView
     reads _viewport->x/y/width/height unconditionally in its
     render path.

Fix: NULL-check the calloc and 'return nil' from the init
method.  This matches the bailout pattern used by the
_initMetal failure branch just above.
ARC will dealloc the partial instance - MetalDriver's
dealloc is already NULL-safe for _viewport
(checks 'if (_viewport) free(_viewport);') and for _gpu_list
(checks 'if (_gpu_list)').

=== setShaderFromPath: shader calloc ===

    struct video_shader *shader  = (struct video_shader *)calloc(1, sizeof(*shader));
    settings_t        *settings  = config_get_ptr();
    ...
    @Try
    {
       if (!video_shader_load_preset_into_shader(path.UTF8String, shader))
          return NO;
       ...
    }
    @finally
    {
       if (shader)
          [self _freeVideoShader:shader];
    }

The calloc was unchecked.  video_shader_load_preset_into_shader
in gfx/video_shader_parse.c receives shader as its second
parameter and writes shader->path / shader->passes / etc. with
no NULL-guard on the pointer - so a NULL shader would crash
inside the shader parser.

Fix: NULL-check before entering the @Try and 'return NO'
immediately.  The caller treats this as a shader-load failure
and falls back to the stock (non-slang) render path.  The
@finally cleanup block is a no-op for NULL shader via the
guard in _freeVideoShader, so no cleanup concern.

=== Swept-clean in the same pass ===

Verified NULL-checked in metal.m:

- heapRow malloc in readViewport:: NULL-checked
  with early 'return NO;'.

- No other raw malloc/calloc/realloc sites in gfx/drivers/metal.m
  or in gfx/common/metal/*.

The rest of the driver is ARC-managed Objective-C with
Metal framework object lifetimes; out-of-scope for this
audit pass.

=== Note on _inflightSemaphore ===

The MetalDriver Context class declares a
dispatch_semaphore_t _inflightSemaphore and
allocates it via dispatch_semaphore_create(MAX_INFLIGHT).
The declaration and creation are the only two
references in the file - the semaphore is never actually
wait()ed or signal()ed.  It's effectively dead code, so
no OOM handling is needed; left alone for this audit.

Scope: local to metal.m.  No API changes, no header changes,
no changes to other .m files under gfx/common/metal/.

Thread-safety: both fixes are in one-shot paths called from
the main video thread at driver creation / shader load time;
no concurrency concerns.

Reachability: both are reachable on OOM.  The _viewport one
is unconditional at driver creation - every Metal driver
instance hits it.  The shader one fires whenever a slang
preset is loaded (menu selection, CLI --set-shader, remote
control), which is a direct user action.

Author: LibretroAdmin

gfx/drivers/metal.m

@@ -3378,6 +3378,17 @@ - (instancetype)initWithVideo:(const video_info_t *)video
 
       _video                        = *video;
       _viewport                     = (video_viewport_t *)calloc(1, sizeof(video_viewport_t));
+      /* NULL-check: Context's setViewport: (see line ~516)
+       * unconditionally dereferences the pointer via
+       * _viewport = *viewport;  A NULL here would crash on
+       * the first _context.viewport = _viewport assignment
+       * downstream in setVideoMode / show_mouse / frame.
+       * Return nil to fail the init - matches the pattern
+       * used by the _initMetal bailout just above.  ARC will
+       * tear down the partial instance (Metal library/queue
+       * ref-counts, string_list _gpu_list) via dealloc. */
+      if (!_viewport)
+         return nil;
       _viewportMVP.projectionMatrix = matrix_proj_ortho(0, 1, 0, 1);
 
       _keepAspect                   = _video.force_aspect;
@@ -4590,6 +4601,16 @@ - (BOOL)setShaderFromPath:(NSString *)path
    _shaderEmitsHDR16            = NO;
 
    struct video_shader *shader  = (struct video_shader *)calloc(1, sizeof(*shader));
+   /* NULL-check: video_shader_load_preset_into_shader below
+    * writes shader->path / shader->passes etc. via field access
+    * with no NULL guard on its second parameter, so a NULL
+    * shader would crash inside the parser.  Return NO here -
+    * caller treats this as a shader-load failure and falls
+    * back to the stock (non-slang) render path.  The @finally
+    * block below is a no-op for NULL shader via the guard in
+    * _freeVideoShader. */
+   if (!shader)
+      return NO;
    settings_t        *settings  = config_get_ptr();
    const char *dir_video_shader = settings->paths.directory_video_shader;
    NSString *shadersPath = [NSString stringWithFormat:@"%s/", dir_video_shader];