CVE-2023-47470: 
Ffmpeg vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in FFmpeg before github commit 4565747056a11356210ed8edcecb920105e40b60. The vulnerability exists in the refpicliststruct function within libavcodec/evcps.c. This security flaw was identified and reported on November 15, 2023, affecting FFmpeg versions up to (excluding) 6.1 (NVD, FFmpeg Report).

The vulnerability is classified as an Out-of-Bounds Write (CWE-787) with a CVSS v3.1 base score of 7.8 (HIGH). The issue occurs in the refpicliststruct function where insufficient validation of refpicnum against spsmaxdecpicbufferingminus1 could lead to an out-of-array write condition. The vulnerability requires local access with no privileges but does need user interaction to be exploited (NVD).

The exploitation of this vulnerability can lead to multiple severe consequences: arbitrary code execution, denial of service (DoS), and out-of-array write operations. These impacts could potentially compromise the integrity and availability of systems running the affected FFmpeg versions (NVD, FFmpeg Report).

The vulnerability has been patched in FFmpeg commit 4565747056a11356210ed8edcecb920105e40b60. The fix includes adding proper validation checks for refpicnum and spsmaxdecpicbuffering_minus1 values. Users are advised to upgrade to FFmpeg version 6.1 or later, which includes this security fix (FFmpeg Patch).