CVE-2023-47470 Overview
CVE-2023-47470 is a buffer overflow vulnerability in FFmpeg's EVC (Essential Video Coding) parser that allows remote attackers to achieve an out-of-array write, execute arbitrary code, and cause a denial of service (DoS). The vulnerability exists in the ref_pic_list_struct function within libavcodec/evc_ps.c, where insufficient validation of the ref_pic_num parameter against the sps_max_dec_pic_buffering_minus1 boundary enables memory corruption when processing maliciously crafted media files.
Critical Impact
Successful exploitation allows attackers to execute arbitrary code or crash FFmpeg-based applications by supplying specially crafted EVC video content, potentially compromising systems that process untrusted media files.
Affected Products
- FFmpeg versions prior to commit 4565747056a11356210ed8edcecb920105e40b60
- FFmpeg 6.1 and earlier versions
- Applications and services utilizing vulnerable FFmpeg libraries for media processing
Discovery Timeline
- 2023-11-16 - CVE-2023-47470 published to NVD
- 2025-08-11 - Last updated in NVD database
Technical Details for CVE-2023-47470
Vulnerability Analysis
This vulnerability stems from a classic out-of-bounds write condition (CWE-787) in FFmpeg's EVC video codec parser. The ref_pic_list_struct function is responsible for parsing reference picture list structures according to ISO/IEC 23094-1 specification. The function reads the ref_pic_num value from the bitstream using get_ue_golomb_long(gb) without validating whether this value exceeds the maximum allowed buffer size defined by sps_max_dec_pic_buffering_minus1.
When an attacker provides a crafted EVC stream with an excessively large ref_pic_num value, subsequent operations that iterate based on this count will access memory beyond the allocated array boundaries. This leads to memory corruption that can be leveraged for arbitrary code execution or trigger application crashes resulting in denial of service.
The local attack vector requires user interaction—victims must open or process a malicious media file—making this vulnerability particularly dangerous in scenarios where FFmpeg processes untrusted content from external sources, such as media converters, video players, or web applications with media processing capabilities.
Root Cause
The root cause is missing boundary validation in the reference picture list parsing logic. The ref_pic_num value read from the input bitstream was directly used without checking whether it exceeds the maximum decoder picture buffering capacity (sps_max_dec_pic_buffering_minus1) specified in the Sequence Parameter Set (SPS). This oversight allows attackers to control an index or count value used in subsequent array operations, leading to out-of-bounds memory access.
Attack Vector
An attacker can exploit this vulnerability by crafting a malicious EVC video file with a specially constructed reference picture list structure containing an oversized ref_pic_num value. When a victim opens this file with any application using vulnerable FFmpeg libraries, the parser processes the malformed data, triggering the buffer overflow. The attack requires local access to deliver the malicious file and user interaction to process it, but no privileges are required beyond standard user permissions.
// Security patch in libavcodec/evc_ps.c - avcodec/evc_ps: Check ref_pic_num and sps_max_dec_pic_buffering_minus1
#define EXTENDED_SAR 255
// @see ISO_IEC_23094-1 (7.3.7 Reference picture list structure syntax)
-static int ref_pic_list_struct(GetBitContext *gb, RefPicListStruct *rpl)
+static int ref_pic_list_struct(EVCParserSPS *sps, GetBitContext *gb, RefPicListStruct *rpl)
{
uint32_t delta_poc_st, strp_entry_sign_flag = 0;
rpl->ref_pic_num = get_ue_golomb_long(gb);
+
+ if ((unsigned)rpl->ref_pic_num > sps->sps_max_dec_pic_buffering_minus1)
+ return AVERROR_INVALIDDATA;
+
if (rpl->ref_pic_num > 0) {
delta_poc_st = get_ue_golomb_long(gb);
Source: GitHub FFmpeg Commit
Detection Methods for CVE-2023-47470
Indicators of Compromise
- Unexpected crashes or segmentation faults in FFmpeg or applications using FFmpeg libraries when processing EVC video files
- Anomalous memory allocation patterns or memory access violations in libavcodec components
- Suspicious EVC/H.266 video files with malformed reference picture list structures in the bitstream
- Core dumps indicating crashes within the ref_pic_list_struct function or related EVC parsing code
Detection Strategies
- Deploy application crash monitoring to detect abnormal termination patterns in media processing services
- Implement file integrity monitoring for FFmpeg library versions and compare against known vulnerable versions
- Use static analysis tools to scan codebases for vulnerable FFmpeg library dependencies
- Monitor process behavior for unexpected memory access patterns during media file processing
Monitoring Recommendations
- Enable detailed logging for media processing pipelines to capture parsing errors and exceptions
- Configure crash reporting systems to alert on FFmpeg-related failures with stack traces pointing to EVC codec modules
- Implement software composition analysis (SCA) to track FFmpeg versions across the environment
- Set up alerts for unusual CPU or memory consumption during video processing operations
How to Mitigate CVE-2023-47470
Immediate Actions Required
- Update FFmpeg to a version that includes commit 4565747056a11356210ed8edcecb920105e40b60 or later
- Audit all applications and services using FFmpeg libraries and prioritize updates for those processing untrusted media content
- Implement input validation at the application layer to reject suspicious or malformed video files before FFmpeg processing
- Consider temporarily disabling EVC codec support if updates cannot be immediately applied
Patch Information
The vulnerability was addressed in FFmpeg commit 4565747056a11356210ed8edcecb920105e40b60. The fix adds proper boundary checking by passing the SPS structure to the ref_pic_list_struct function and validating that ref_pic_num does not exceed sps_max_dec_pic_buffering_minus1. Organizations should update to FFmpeg versions released after this commit or apply the patch to their current installations.
For detailed patch information, see the FFmpeg Patch Submission and the official commit.
Workarounds
- Restrict FFmpeg usage to trusted media sources only until patches can be applied
- Deploy sandboxing or containerization for media processing workloads to limit the impact of potential exploitation
- Implement network segmentation to isolate media processing systems from critical infrastructure
- Use application allowlisting to control which processes can execute FFmpeg binaries
# Check current FFmpeg version and commit
ffmpeg -version | head -5
# Verify if your FFmpeg installation includes the security fix
# Look for commits after 4565747056a11356210ed8edcecb920105e40b60
git log --oneline --grep="ref_pic_num" -- libavcodec/evc_ps.c
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
