id,summary,reporter,owner,description,type,status,priority,component,version,resolution,keywords,cc,blockedby,blocking,reproduced,analyzed
10326,Possibly invalid restriction for CTTS sample_offset field,Robert Swain,,"Summary of the bug:

libavformat/mov.c logs an error for a CTTS box sample_offset that is, as far as I can tell, valid according to the ISO/IEC 14496-12 and Apple specifications.

How to reproduce:

The check is here: https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/master:/libavformat/mov.c#l3322

{{{
         if (FFNABS(duration) < -(1<<28) && i+2<entries) {
             av_log(c->fc, AV_LOG_WARNING, ""CTTS invalid\n"");
             av_freep(&sc->ctts_data);
             sc->ctts_count = 0;
             return 0;
         }
}}}

A slightly different form of the check was originally introduced as a fix for https://trac.ffmpeg.org/ticket/385 with the commit message:

{{{
commit 4093220029a4d77f272c491e9299680480a08c00
Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Thu Mar 8 07:10:57 2012 +0100

    mov: Discard invalid CTTS.

    Fixes Ticket385

    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
}}}

There are no comments on the code nor does the commit message nor code explain why the check is correct.

As the Apple specification is publicly and freely available I'll link it here: https://developer.apple.com/library/archive/documentation/QuickTime/QTFF/QTFFChap2/qtff2.html#//apple_ref/doc/uid/TP40000939-CH204-SW19 I wasn't able to find anything in that specification nor in ISO/IEC 14496-12 section 8.6.1.3 about the `sample_offset` having a reduced range than the data type of the field.

The code enforces that the CTTS box `sample_offset` (the `duration` variable in the code in mov.c - also, why is it called `duration`?) is required to be <= 2^28. Why is this?",defect,new,normal,avformat,git-master,,,Robert Swain,,,0,0