Add integer overflow checks in Program::LoadSegment

[rascani]

Summary:
Add overflow protection to pointer arithmetic in LoadSegment() and load_mutable_subsegment_into().

Three additions were unchecked:

1. segment_base_offset_ + segment->offset() in LoadSegment() (line 563) — a malicious .pte file can set segment->offset() near UINT64_MAX, wrapping the sum to a small value and causing the loader to read from an unintended file position.

2. offset + size in load_mutable_subsegment_into() — overflow before the bounds check against segment->size() would bypass the validation entirely.

3. segment_base_offset_ + segment->offset() + offset in load_mutable_subsegment_into() (line 649) — a triple addition with no overflow check on any intermediate result. Now computed in two validated steps.

The overflow checks use the same ET_CHECK_OR_RETURN_ERROR pattern already established at lines 95-100 for the header-level segment validation.

MACA-2026-001 (T266924552).

Differential Revision: D103467784

[pytorch-bot]

🔗 Helpful Links

🧪 See artifacts and rendered test results at hud.pytorch.org/pr/pytorch/executorch/19268

• 📄 Preview Python docs built from this PR

Note: Links to docs will display an error until the docs builds have been completed.

❌ 1 New Failure, 2 Unrelated Failures

As of commit 066e3f8 with merge base a3dd0fa ():

NEW FAILURE - The following job has failed:

• pull / unittest-nxp-neutron / linux-job (gh)
  RuntimeError: Command docker exec -t d67f1378430669401b577ffe0fd770209b066773d898eff4a643ae5a206d105d /exec failed with exit code 1

BROKEN TRUNK - The following jobs failed but were present on the merge base:

👉 Rebase onto the `viable/strict` branch to avoid these failures

• pull / unittest / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.
• pull / unittest-editable / macos / macos-job (gh) (trunk failure)
  ##[error]The operation was canceled.

This comment was automatically generated by Dr. CI and updates every 15 minutes.

[meta-codesync]

@rascani has exported this pull request. If you are a Meta employee, you can view the originating Diff in D103467784.

[github-actions]

This PR needs a release notes: label

If your change should be included in the release notes (i.e. would users of this library care about this change?), please use a label starting with release notes:. This helps us keep track and include your important work in the next release notes.

To add a label, you can comment to pytorchbot, for example
@pytorchbot label "release notes: none"

For more information, see
https://github.com/pytorch/pytorch/wiki/PyTorch-AutoLabel-Bot#why-categorize-for-release-notes-and-how-does-it-work.