CVE-2023-46407: 
Ffmpeg vulnerability analysis and mitigation

FFmpeg prior to commit bf814 was discovered to contain an out-of-bounds read vulnerability (CVE-2023-46407) in the readvlcprefix() function, specifically related to the dist->alphabet_size variable. The vulnerability was identified and reported in October 2023, affecting FFmpeg versions up to 6.1 (NVD).

The vulnerability stems from a regression introduced in commit f7ac351, where the size of a dynamically allocated buffer was reduced but became too small for very small alphabet sizes, leading to an out-of-bounds read condition. The issue specifically affects the readvlcprefix() function in the JPEG XL parser component. The vulnerability has been assigned a CVSS v3.1 base score of 5.5 (MEDIUM) with a vector string of CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N (NVD).

The out-of-bounds read vulnerability could allow attackers to read data beyond allocated memory boundaries, potentially leading to information disclosure. The vulnerability requires user interaction to be exploited and has high confidentiality impact but no effect on integrity or availability (NVD).

The vulnerability was fixed in FFmpeg commit bf814387f42e9b0dea9d75c03db4723c88e7d962, which restores the buffer size to prevent the out-of-bounds read. Users should upgrade to FFmpeg version 6.1 or later, or apply the provided patch (FFmpeg Commit).