security: add missing NULL checks after calloc in Bluetooth backend

Memory Safety: Medium

Two calloc() calls in backend-native.c do not check the return value
before dereferencing the pointer:

1. rfcomm_send_cmd_enqueue() allocates an rfcomm_cmd struct and
   immediately passes cmd->cmd to vsnprintf without a NULL check.

2. rfcomm_hfp_ag_clcc() allocates an updated_call struct and
   immediately dereferences updated_call->id without a NULL check.

Both would crash on allocation failure. Add NULL checks that return
an error instead of dereferencing NULL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

spa/plugins/bluez5/backend-native.c

@@ -584,6 +584,8 @@ static ssize_t rfcomm_send_cmd(struct rfcomm *rfcomm, int next_state, DBusMessag
 	va_list args;
 
 	cmd = calloc(1, sizeof(struct rfcomm_cmd));
+	if (cmd == NULL)
+		return -ENOMEM;
 
 	va_start(args, format);
 	len = vsnprintf(cmd->cmd, RFCOMM_MESSAGE_MAX_LENGTH + 1, format, args);
@@ -2342,6 +2344,8 @@ static bool rfcomm_hfp_hf(struct rfcomm *rfcomm, char* token)
 		if (SPA_LIKELY (parsed)) {
 			struct updated_call *updated_call;
 			updated_call = calloc(1, sizeof(struct updated_call));
+			if (updated_call == NULL)
+				return false;
 			updated_call->id = idx;
 			spa_list_append(&rfcomm->updated_call_list, &updated_call->link);