id	summary	reporter	owner	description	type	status	priority	component	version	resolution	keywords	cc	blockedby	blocking	reproduced	analyzed
10326	Possibly invalid restriction for CTTS sample_offset field	Robert Swain		"Summary of the bug:

libavformat/mov.c logs an error for a CTTS box sample_offset that is, as far as I can tell, valid according to the ISO/IEC 14496-12 and Apple specifications.

How to reproduce:

The check is here: https://git.ffmpeg.org/gitweb/ffmpeg.git/blob/refs/heads/master:/libavformat/mov.c#l3322

{{{
         if (FFNABS(duration) < -(1<<28) && i+2<entries) {
             av_log(c->fc, AV_LOG_WARNING, ""CTTS invalid\n"");
             av_freep(&sc->ctts_data);
             sc->ctts_count = 0;
             return 0;
         }
}}}

A slightly different form of the check was originally introduced as a fix for https://trac.ffmpeg.org/ticket/385 with the commit message:

{{{
commit 4093220029a4d77f272c491e9299680480a08c00
Author: Michael Niedermayer <michael@niedermayer.cc>
Date:   Thu Mar 8 07:10:57 2012 +0100

    mov: Discard invalid CTTS.

    Fixes Ticket385

    Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
}}}

There are no comments on the code nor does the commit message nor code explain why the check is correct.

As the Apple specification is publicly and freely available I'll link it here: https://developer.apple.com/library/archive/documentation/QuickTime/QTFF/QTFFChap2/qtff2.html#//apple_ref/doc/uid/TP40000939-CH204-SW19 I wasn't able to find anything in that specification nor in ISO/IEC 14496-12 section 8.6.1.3 about the `sample_offset` having a reduced range than the data type of the field.

The code enforces that the CTTS box `sample_offset` (the `duration` variable in the code in mov.c - also, why is it called `duration`?) is required to be <= 2^28. Why is this?"	defect	new	normal	avformat	git-master			Robert Swain			0	0