af_scaletempo: fix crash on channel reconfiguration

This crash happened when audio channels were reconfigured from 6
channels to 2, and playback speed was set to 2.

The crash is caused by passing a negative size to memcpy. It appears
reinitialization doesn't clear the buffer. As the result, the buffer
can be larger as the maximum buffer size, i.e. the invariant
bytes_queued <= bytes_queue is violated.

Fix this by resetting the buffer length on reconfiguring (set the
bytes_queued vairable to 0). Also reset some other state for clarity
and robustness, although these changes aren't strictly needed for
avoiding the actual crash.

This may also get rid of some noise played right after reinitialization,
as the re-used buffer was in the wrong audio format.

libaf/af_scaletempo.c

@@ -34,6 +34,7 @@
 #include <stdlib.h>
 #include <string.h>
 #include <limits.h>
+#include <assert.h>
 
 #include "af.h"
 #include "libavutil/common.h"
@@ -104,6 +105,7 @@ static int fill_queue(struct af_instance_s* af, af_data_t* data, int offset)
 
   if (bytes_in > 0) {
     int bytes_copy = FFMIN(s->bytes_queue - s->bytes_queued, bytes_in);
+    assert(bytes_copy >= 0);
     memcpy(s->buf_queue + s->bytes_queued,
            (int8_t*)data->audio + offset,
            bytes_copy);
@@ -331,6 +333,7 @@ static int control(struct af_instance_s* af, int cmd, void* arg)
       s->bytes_standing   = s->bytes_stride;
       s->samples_standing = s->bytes_standing / bps;
       s->output_overlap   = NULL;
+      s->bytes_overlap    = 0;
     } else {
       s->samples_overlap  = frames_overlap * nch;
       s->bytes_overlap    = frames_overlap * nch * bps;
@@ -419,6 +422,9 @@ static int control(struct af_instance_s* af, int cmd, void* arg)
       return AF_ERROR;
     }
 
+    s->bytes_queued = 0;
+    s->bytes_to_slide = 0;
+
     mp_msg (MSGT_AFILTER, MSGL_DBG2, "[scaletempo] "
             "%.2f stride_in, %i stride_out, %i standing, "
             "%i overlap, %i search, %i queue, %s mode\n",