A buffer overflow could occur in VideoLAN’s VLC cross-platform multimedia player when attempting to parse a specially crafted advanced systems format (ASF) movie, a researcher reported.
The vulnerability, found by security researcher Debasish Mandal, exists in the ASF demuxer of VLC media player versions 2.0.5 and earlier. To exploit the vulnerability, a user must “explicitly open a specially crafted ASF movie.”
According to a security advisory on the VideoLAN site, an attacker who exploits the bug could cause invalid memory access, which could in turn cause the player to crash. It has not yet been confirmed, but the advisory also warns that attackers may be able to use an exploit to execute arbitrary code “within the context of the application.”
The problem will be resolved with the release of VLC’s 2.0.6 release, slated to ship sometime in January, which ends today. VideoLAN’s patch will fix the bug by replacing a macro with static inline and improved bounds checking in the VLV player’s source code repository.
The advisory recommends that users excercise caution and avoid opening files from third-party untrusted remote sites until they install the patch. VideoLAN also claims that the ASF demuxer can be removed manually, but that doing so will prevent ASF movie playback.