From 35ea45835484b90490e7d1704ef99ccb7b775578 Mon Sep 17 00:00:00 2001
From: Muhammad Faiz <mfcc64-at-gmail.com@ffmpeg.org>
Date: Thu, 3 Jul 2025 20:47:58 +0700
Subject: [PATCH] avfilter/avf_showcqt: fix unbounded index when copying to
 fft_data

When timeclamp and/or fps are low, j can be negative.

Fix Ticket11640
---
 libavfilter/avf_showcqt.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libavfilter/avf_showcqt.c b/libavfilter/avf_showcqt.c
index f6a867a0ce..abfae1f8fb 100644
--- a/libavfilter/avf_showcqt.c
+++ b/libavfilter/avf_showcqt.c
@@ -1516,7 +1516,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
         i = insamples->nb_samples - remaining;
         j = s->fft_len/2 + s->remaining_fill_max - s->remaining_fill;
         if (remaining >= s->remaining_fill) {
-            for (m = 0; m < s->remaining_fill; m++) {
+            for (m = FFMAX(0, -j); m < s->remaining_fill; m++) {
                 s->fft_data[j+m].re = audio_data[2*(i+m)];
                 s->fft_data[j+m].im = audio_data[2*(i+m)+1];
             }
@@ -1545,7 +1545,7 @@ static int filter_frame(AVFilterLink *inlink, AVFrame *insamples)
                 s->fft_data[m] = s->fft_data[m+step];
             s->remaining_fill = step;
         } else {
-            for (m = 0; m < remaining; m++) {
+            for (m = FFMAX(0, -j); m < remaining; m++) {
                 s->fft_data[j+m].re = audio_data[2*(i+m)];
                 s->fft_data[j+m].im = audio_data[2*(i+m)+1];
             }