Add overflow checks to getLeadingDims and getTrailingDims

Summary:
Add `c10::mul_overflows()` checks to the dimension-product loops in `getLeadingDims()` and `getTrailingDims()`.

Both functions multiply tensor dimension sizes in a loop with no overflow protection. On 32-bit targets where `size_t` is 32 bits, malicious tensor dimensions from a crafted `.pte` file can cause the product to wrap silently, producing a small value that is then used for buffer offset calculations in 40+ kernels via `coordinateToIndex()`. This enables heap buffer overflows during operator execution.

MACA-2026-001 (T267380210).

Differential Revision: D103467782

Author: rascani

runtime/core/exec_aten/util/tensor_util.h

@@ -9,6 +9,7 @@
 #pragma once
 
 #include <c10/util/irange.h>
+#include <c10/util/safe_numerics.h>
 #include <algorithm>
 #include <array> // std::array
 #include <cinttypes> // PRId64
@@ -932,7 +933,12 @@ inline size_t getLeadingDims(
       ssize_t(tensor.dim()));
   size_t dims = 1;
   for (const auto i : c10::irange(dim)) {
-    dims *= static_cast<size_t>(tensor.size(i));
+    size_t next_dims;
+    ET_CHECK_MSG(
+        !c10::mul_overflows(dims, static_cast<size_t>(tensor.size(i)), &next_dims),
+        "Overflow computing leading dims at dimension %zd",
+        (ssize_t)i);
+    dims = next_dims;
   }
   return dims;
 }
@@ -949,7 +955,12 @@ inline size_t getTrailingDims(
       ssize_t(tensor.dim()));
   size_t dims = 1;
   for (size_t i = dim + 1; i < static_cast<size_t>(tensor.dim()); ++i) {
-    dims *= static_cast<size_t>(tensor.size(i));
+    size_t next_dims;
+    ET_CHECK_MSG(
+        !c10::mul_overflows(dims, static_cast<size_t>(tensor.size(i)), &next_dims),
+        "Overflow computing trailing dims at dimension %zu",
+        i);
+    dims = next_dims;
   }
   return dims;
 }