14 DAY TRIAL // Two critical heap corruption vulnerabilities that could lead to arbitrary code execution were patched in the VLC media player source code.
The flaws were reported by Dan Rosenberg from Virtual Security Research (VSR) on January 7, 2011, and are located in a decoder for the relatively obscure CD+G format.
CD+G is an extension to the compact disc (CD) standard and allows for low-res graphics to be associated with audio data. There are few playback devices that support the format.
A patch for the vulnerabilities was submitted by Rémi Denis-Courmont on January 11, but did not make it into the recently released VLC 1.1.6 version that fixes a separate critical buffer overflow issue reported by Mr. Rosenberg in the Real demuxer.
"In both cases, a failure to properly validate indexes into statically-sized arrays on the heap could allow a maliciously crafted CDG video to corrupt the heap in a controlled manner, potentially leading to code execution," the git notes read.
The patch was commited to the VLC 1.1.5 source code, but because the CD+G decoder hasn't been modified in a long time, it can be easily ported back to older versions that are also affected.
VLC is a powerful cross-platform multimedia player capable of playing most media formats natively, without the need of additional codecs. It is open source and distributed under the GNU General Public License.
Binaries are regularly released by the VideoLAN Project for Windows and Mac OS X 10.5 or later, while Linux binaries are provided by each distribution through its own release channels. The latest version of VLC media player for Windows can be downloaded from here.
The latest version of VLC media player for Mac can be downloaded from here.