Add bounds check for constant_data offset

[rascani]

Summary:
Validate that constant_data_offset->offset() does not exceed constant_data_size before computing constant_data_ptr + offset in getConstantDataPtr().

Previously, the offset read from the flatbuffer was used in pointer arithmetic with no validation. A crafted XNNPACK delegate blob could set an arbitrary offset, causing an out-of-bounds read relative to constant_data_ptr. The main ExecuTorch runtime already performs this check in program.cpp:get_constant_buffer_data() — the XNNPACK backend was missing the equivalent.

Thread constant_data_size from the XNNHeader (which already parses and validates it) through compileModel() → defineTensor() → getConstantDataPtr().

MACA-2026-001 (T267371218).

Differential Revision: D103467781

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19285

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❗ 1 Active SEVs

There are 1 currently active SEVs. If your PR is affected, please view them below:

• Ubuntu services are down

❌ 2 New Failures, 4 Unrelated Failures

As of commit ae4ce19 with merge base 2050b8a ():

NEW FAILURES - The following jobs have failed:

• pull / test-lora-linux / linux-job (gh)
  RuntimeError: Command docker exec -t 2fdbe4856bc65d43f538b1c2b3d590bf7ff4c6f6102a96bbd1802338d8aa288c /exec failed with exit code 1
• pull / test-lora-multimethod-linux / linux-job (gh)
  RuntimeError: Command docker exec -t 4c7475f6675d83d6efac8dce3dd9edfcd2f4690ad80709230435681028e50bf1 /exec failed with exit code 1

FLAKY - The following job failed but was likely due to flakiness present on trunk:

• pull / unittest / macos / macos-job (gh) (similar failure)
  ##[error]The operation was canceled.

BROKEN TRUNK - The following jobs failed but was present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / unittest / linux / linux-job (gh) (trunk failure)
• pull / unittest-editable / linux / linux-job (gh) (trunk failure)
• pull / unittest-editable / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[meta-codesync]

@rascani has exported this pull request. If you are a Meta employee, you can view the originating Diff in D103467781.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.