From e43a3d8d304dcafad023eb0327669fe94d6e2d9f Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michael@niedermayer.cc>
Date: Fri, 22 Dec 2023 21:49:48 +0100
Subject: [PATCH] avfilter/af_alimiter: Check nextpos before use

Fixes: out of array read
Fixes: tickets/10744/poc11ffmpeg

Found-by: Li Zeyuan and Zeng Yunxiang.
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
(cherry picked from commit a88b06f9ee8c88f78bdd614fc25283225223e858)
Signed-off-by: Michael Niedermayer <michael@niedermayer.cc>
---
 libavfilter/af_alimiter.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/libavfilter/af_alimiter.c b/libavfilter/af_alimiter.c
index f08893229d..9a86704764 100644
--- a/libavfilter/af_alimiter.c
+++ b/libavfilter/af_alimiter.c
@@ -195,9 +195,10 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *in)
                     int j = i % buffer_size;
                     double ppeak = 0, pdelta;
 
-                    for (c = 0; c < channels; c++) {
-                        ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c]));
-                    }
+                    if (nextpos[j] >= 0)
+                        for (c = 0; c < channels; c++) {
+                            ppeak = FFMAX(ppeak, fabs(buffer[nextpos[j] + c]));
+                        }
                     pdelta = (limit / peak - limit / ppeak) / (((buffer_size - nextpos[j] + s->pos) % buffer_size) / channels);
                     if (pdelta < nextdelta[j]) {
                         nextdelta[j] = pdelta;