From 3d9d3085714f7568f665f966b166cb90b4e49fb5 Mon Sep 17 00:00:00 2001
From: Github Executorch <github_executorch@arm.com>
Date: Wed, 4 Mar 2026 22:19:59 -0800
Subject: [PATCH] Fix double-scaled pointer arithmetic in ETDumpGen constructor
 (TOB-EXECUTORCH-32)

The expression `builder_ + sizeof(struct flatcc_builder)` double-scales
the offset because `builder_` is a `struct flatcc_builder*` -- the
compiler already multiplies by `sizeof(struct flatcc_builder)` for typed
pointer arithmetic. The result advances far past the intended location,
potentially into unallocated memory.

Replace with `builder_ + 1`, which correctly advances by exactly one
`sizeof(struct flatcc_builder)` element.

This PR was authored with the assistance of Claude.
---
 devtools/etdump/etdump_flatcc.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/devtools/etdump/etdump_flatcc.cpp b/devtools/etdump/etdump_flatcc.cpp
index d841c45afc5..92ce2070fc8 100644
--- a/devtools/etdump/etdump_flatcc.cpp
+++ b/devtools/etdump/etdump_flatcc.cpp
@@ -116,8 +116,8 @@ ETDumpGen::ETDumpGen(Span<uint8_t> buffer) {
   if (buffer.data() != nullptr) {
     builder_ =
         (struct flatcc_builder*)internal::align_pointer(buffer.data(), 64);
-    uintptr_t buffer_with_builder = (uintptr_t)internal::align_pointer(
-        builder_ + sizeof(struct flatcc_builder), 64);
+    uintptr_t buffer_with_builder =
+        (uintptr_t)internal::align_pointer(builder_ + 1, 64);
     size_t builder_size =
         (size_t)(buffer_with_builder - (uintptr_t)buffer.data());
     size_t min_buf_size = max_alloc_buf_size + builder_size;