VLC versions before 2.1.5 contain a vulnerability in the transcode module that
may allow a corrupted stream to overflow buffers on the heap. With a
non-malicious input, this could lead to heap corruption and a crash. However,
under the right circumstances, a malicious attacker could potentially use this
vulnerability to hijack program execution, and on some platforms, execute
This vulnerability was found by fuzzing using CERT’s Basic Fuzzing Framework (BFF)
and a sample file from mplayerhq. Testing was initially performed on
Debian Sid (x86) using the VLC version 2.1.2-2+b3 from Debian, and later on
Windows XP 32-bit using VLC version 2.1.3 from upstream.
After some time, BFF produced a fuzzed file that caused the following crash:
*** Error in `/usr/bin/vlc': free(): corrupted unsorted chunks: 0xb384fd68 ***
======= Backtrace: =========
Testing under valgrind showed multiple invalid writes past the end of allocated
heap chunks (heap overflow), and following the execution using gdb confirmed
that this was not a false positive.