Fix for Heap-buffer-overflow in ixheaace_write_bits

Significance:
==============
- Fixes max bit reservoir calculation based on framelength

Bug: ossFuzz: 471876985
Test: poc in bug

Testing:
========
- Smoke-tested on MSVS, Armv7, Armv8, x86_64, x86 and Mac

encoder/ixheaace_api.c

@@ -1089,6 +1089,7 @@ static IA_ERRORCODE ixheaace_set_config_params(ixheaace_api_struct *pstr_api_str
       }
     }
   } else {
+    WORD32 max_bitreservoir_size;
     if ((pstr_input_config->i_channels > MAX_NUM_CORE_CODER_CHANNELS)) {
       return (IA_EXHEAACE_CONFIG_FATAL_NUM_CHANNELS);
     }
@@ -1212,34 +1213,20 @@ static IA_ERRORCODE ixheaace_set_config_params(ixheaace_api_struct *pstr_api_str
       }
     }
 
-    if (pstr_input_config->aot == AOT_AAC_LD || pstr_input_config->aot == AOT_AAC_ELD) {
-      WORD32 max_channel_bits = (pstr_api_struct->config[0].aac_config.flag_framelength_small
-                                     ? MAXIMUM_CHANNEL_BITS_480
-                                     : MAXIMUM_CHANNEL_BITS_512);
-      if ((pstr_input_config->aac_config.bitreservoir_size > max_channel_bits / 8) ||
-          (pstr_input_config->aac_config.bitreservoir_size < -1)) {
-        pstr_input_config->aac_config.bitreservoir_size =
-            BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LD;
-      }
-      pstr_api_struct->config[0].aac_config.bitreservoir_size =
-          pstr_input_config->aac_config.bitreservoir_size;
+    /* Right shift by 10 as 768 is the max bit reservoir calculated for framelength 1024 */
+    max_bitreservoir_size = (BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE *
+                             pstr_api_struct->config[0].frame_length) >>
+                            10;
+    if ((pstr_input_config->aac_config.bitreservoir_size > max_bitreservoir_size) ||
+        (pstr_input_config->aac_config.bitreservoir_size < -1)) {
+      pstr_input_config->aac_config.bitreservoir_size = max_bitreservoir_size;
     }
-    if (pstr_input_config->aot == AOT_AAC_LC || pstr_input_config->aot == AOT_SBR ||
-        pstr_input_config->aot == AOT_PS) {
-      WORD32 max_channel_bits = (pstr_api_struct->config[0].aac_config.flag_framelength_small
-                                     ? MAXIMUM_CHANNEL_BITS_960
-                                     : MAXIMUM_CHANNEL_BITS_1024);
-
-      if ((pstr_input_config->aac_config.bitreservoir_size > max_channel_bits / 8) ||
-          (pstr_input_config->aac_config.bitreservoir_size < -1)) {
-        pstr_input_config->aac_config.bitreservoir_size =
-            BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LC;
-      }
-      pstr_api_struct->config[0].aac_config.bitreservoir_size =
-          pstr_input_config->aac_config.bitreservoir_size;
-    }
-    pstr_api_struct->config[0].aac_config.full_bandwidth =
+    for (ele_idx = 0; ele_idx < MAXIMUM_BS_ELE; ele_idx++) {
+      pstr_api_struct->config[ele_idx].aac_config.bitreservoir_size =
+        pstr_input_config->aac_config.bitreservoir_size;
+      pstr_api_struct->config[ele_idx].aac_config.full_bandwidth =
         pstr_input_config->aac_config.full_bandwidth;
+    }
   }
 
   return IA_NO_ERROR;

encoder/ixheaace_config_params.h

@@ -21,8 +21,7 @@
 #pragma once
 /* Input Config Params default values */
 
-#define BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LD (384)
-#define BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LC (768)
+#define BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE (768)
 #define NUM_CHANNELS_CONFIG_PARAM_DEFAULT_VALUE (2)
 #define AAC_SAMP_FREQ_CONFIG_PARAM_DEFAULT_VALUE (44100)
 #define NUM_MEMTABS_CONFIG_PARAM_DEFAULT_VALUE (10)

encoder/ixheaace_enc_init.c

@@ -198,11 +198,10 @@ VOID ia_enhaacplus_enc_aac_init_default_config(iaace_config *config, WORD32 aot)
   config->band_width = 0;
   if (aot == AOT_AAC_LC || aot == AOT_SBR || aot == AOT_PS) {
     config->inv_quant = 0;
-    config->bitreservoir_size = BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LC;
   } else if (aot == AOT_AAC_LD || aot == AOT_AAC_ELD) {
     config->inv_quant = 2;
-    config->bitreservoir_size = BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE_LD;
   }
+  config->bitreservoir_size = BITRESERVOIR_SIZE_CONFIG_PARAM_DEFAULT_VALUE;
   config->use_tns = 0;
   config->flag_framelength_small =
       USE_FRAMELENGTH_SMALL_PARAM_DEFAULT_VALUE;  // assume framelength large