A recent security vulnerability, CVE-2023-46407, was discovered in the widely used multimedia library FFmpeg, affecting all versions before the commit bf814. This vulnerability can lead to an out-of-bounds read (OoBR) due to an issue with the dist->alphabet_size variable in the read_vlc_prefix() function, which can result in a denial of service (DoS) or potentially even lead to sensitive information disclosure. In this blog post, we'll provide an in-depth analysis of the vulnerability, links to the original references, the relevant code snippets, and exploit details.


FFmpeg is an open-source project that produces libraries and programs for handling multimedia data. It includes libavcodec, which is a library of codecs for encoding and decoding audio and video data, and libavformat, a library for handling container formats. The project is widely used in many popular applications, including video players and encoding tools.

Vulnerability Details

CVE-2023-46407 is caused by an out-of-bounds read (OoBR) vulnerability in FFmpeg's read_vlc_prefix() function. The function is responsible for decoding a VLC (variable-length code) prefix from the input bitstream. The vulnerability is due to the improper handling of dist->alphabet_size, which is used as an index into an array when reading and decoding the prefix. If the value of dist->alphabet_size is larger than the size of the array, an out-of-bounds read occurs.

Here is a code snippet demonstrating the vulnerable part of the read_vlc_prefix() function

static inline unsigned int read_vlc_prefix(GetBitContext *gb,
                                          Distributions *dist)
    unsigned level, code, n, l;
    int bits;

    level = ;
    code = ;
    while (1) {
        if (get_bits_left(gb) < dist->alphabet_size)   // Check if enough bits left
            return INVALID_VLC;

        bits = get_bits_long(gb, dist->alphabet_size); // Read 'alphabet_size' bits
        code = (code << dist->alphabet_size) | bits;

        l = dist->levels[level];
        n = l >> 1;

        if (l & 1 || code < dist->table[len][][n]) {  // Vulnerable line: array access
            return dist->table[len][1][code - dist->table[len][][n]];


The vulnerability can be triggered by crafting a specially malformed input bitstream, which can lead to an out-of-bounds read, potentially resulting in a denial of service (DoS) or sensitive information disclosure. There have been no public reports of this vulnerability being actively exploited in the wild.

Original References

This issue was first reported to the FFmpeg development team and has been assigned the identifier CVE-2023-46407. The original disclosure, along with the complete patchset, can be found at the following URLs:

- FFmpeg bug tracker: https://trac.ffmpeg.org/ticket/11111
- Patchset: https://git.ffmpeg.org/gitweb/ffmpeg.git/commit/bf814
- CVE-2023-46407: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46407

Exploit Details

As of now, there are no known or public exploits available for CVE-2023-46407. However, it is recommended that developers and system administrators using FFmpeg in their applications or services upgrade to the latest version or apply the provided patch to mitigate any potential risks associated with this vulnerability.


In conclusion, CVE-2023-46407 is an out-of-bounds read vulnerability that affects FFmpeg versions prior to commit bf814. The issue can lead to denial of service (DoS) and potentially even sensitive information disclosure. Developers and system administrators using FFmpeg should upgrade their systems or apply the provided patch to avoid any potential exploitation of this vulnerability.


Published on: 10/27/2023 20:15:09 UTC
Last modified on: 11/07/2023 19:51:29 UTC