DF-0209
clist_nextc trusts caller cp without validating within live ring window
Summary
clist_nextc(:248) computes offset from raw pointer arithmetic cp-c_data, derefs *cp(:265). No bounds check. If clist mutated between calls -> stale/UAF iterator. Current callers dont mutate iterated queue. Latent.