avfilter/af_alimiter: Check nextpos before use

Fixes: out of array read Fixes: tickets/10744/poc11ffmpeg Found-by: Li Zeyuan and Zeng Yunxiang. Signed-off-by: Michael Niedermayer <michael@niedermayer.cc> (cherry picked from commit a88b06f9ee) Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
2023-12-22 21:49:48 +01:00 · 2023-12-22 21:49:48 +01:00 · e6d1ed99ae
parent 5715c8ed18
commit e6d1ed99ae
1 changed files with 4 additions and 3 deletions
--- a/libavfilter/af_alimiter.c
+++ b/libavfilter/af_alimiter.c
@ -176,10 +176,11 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
            } else {
                for (i = s->nextiter; i < s->nextiter + s->nextlen; i++) {
                    int j = i % buffer_size;
-                    double ppeak, pdelta;
+                    double ppeak = 0, pdelta;

-                    ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ?
-                            fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]);
+                    if (nextpos[j] >= 0)
+                        ppeak = fabs(buffer[nextpos[j]]) > fabs(buffer[nextpos[j] + 1]) ?
+                                fabs(buffer[nextpos[j]]) : fabs(buffer[nextpos[j] + 1]);
                    pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels);
                    if (pdelta < nextdelta[j]) {
                        nextdelta[j] = pdelta;