[DO NOT MERGE] Fix heap buffer overflow in sbrDecoder_AssignQmfChannels2SbrChannels().

In the bug the SBR decoder has already set up 9 channels and tries to
allocate one more channel. The assignment of the QMF channels to SBR
channels fails since the QMF domain manages only 8+1 channels instead
of 10 channels as reqeusted by SBR.
Here we have added a check in sbrDecoder_InitElement() which will
return with a parse error in case additional SBR channels would exceed
the maximum number of SBR channels. This solves the potential heap
buffer overflow.

Bug: 158762825
Test: atest DecoderTestAacDrc DecoderTestXheAac
Change-Id: I741f49ab3b675fa3d3217ee72e1db66b0114f7ee

libSBRdec/src/sbrdecoder.cpp

@@ -510,9 +510,6 @@ SBR_ERROR sbrDecoder_InitElement (
       self->numSbrChannels -= self->pSbrElement[elementIndex]->nChannels;
     }
 
-    /* Save element ID for sanity checks and to have a fallback for concealment. */
-    self->pSbrElement[elementIndex]->elementID = elementID;
-
     /* Determine amount of channels for this element */
     switch (elementID) {
       case ID_NONE:
@@ -540,6 +537,16 @@ SBR_ERROR sbrDecoder_InitElement (
       }
     }
 
+    /* Sanity check to avoid memory leaks */
+    if (elChannels < self->pSbrElement[elementIndex]->nChannels ||
+        (self->numSbrChannels + elChannels) > (8) + (1)) {
+      self->numSbrChannels += self->pSbrElement[elementIndex]->nChannels;
+      sbrError = SBRDEC_PARSE_ERROR;
+      goto bail;
+    }
+
+    /* Save element ID for sanity checks and to have a fallback for concealment. */
+    self->pSbrElement[elementIndex]->elementID = elementID;
     self->pSbrElement[elementIndex]->nChannels = elChannels;
 
     for (ch=0; ch<elChannels; ch++)