Fix stack buffer overflows in ynnpack channelwise quantized tensor and reduce

Bug 1: xnn_define_channelwise_quantized_tensor_value_v3 (tensor.cc:146)
std::copy_n(dims, channel_dim + 1, quantization_dims) copies channel_dim + 1
elements into quantization_dims[YNN_MAX_TENSOR_RANK] (size 8) without checking
channel_dim < num_dims or channel_dim < YNN_MAX_TENSOR_RANK. With
channel_dim >= 8, this writes past the stack buffer.

ASAN trace:
  ==ERROR: AddressSanitizer: stack-buffer-overflow
  WRITE of size 88
  #8 xnn_define_channelwise_quantized_tensor_value_v3
  [96, 160) 'quantization_dims' (line 145) <== overflows this variable

Fix: Add channel_dim >= num_dims and num_dims > YNN_MAX_TENSOR_RANK checks.

Bug 2: get_reduce_identity_value (reduce.cc:243)
For ynn_reduce_min_max with keep_dims=true on a rank-8 tensor,
output.extents.push_back(2) increases rank to 9. Then dims[rank - 1] = dims[8]
writes one element past the size-8 stack array.

Fix: Add rank bounds check before array access.

Author: mohammadmseet-hue

ynnpack/subgraph/reduce.cc

@@ -240,6 +240,9 @@ uint32_t get_reduce_identity_value(ynn_subgraph& subgraph,
       value_f32[0] = std::numeric_limits<float>::infinity();
       value_f32[1] = -std::numeric_limits<float>::infinity();
       rank = output.rank();
+      if (rank < 1 || rank > YNN_MAX_TENSOR_RANK) {
+        return YNN_INVALID_VALUE_ID;
+      }
       dims[rank - 1] = 2;
       break;
     default:

ynnpack/xnnpack/tensor.cc

@@ -123,6 +123,9 @@ xnn_status xnn_define_channelwise_quantized_tensor_value_v3(
   // Channelwise zero points are not supported yet.
   assert(channelwise_zero_point == nullptr);
   assert(data);
+  if (channel_dim >= num_dims || num_dims > YNN_MAX_TENSOR_RANK) {
+    return xnn_status_invalid_parameter;
+  }
   uint32_t zero_point_id = YNN_INVALID_VALUE_ID;
   if (zero_point != 0) {
     ynn_status status = ynn_define_tensor(