VideoLAN association
A project and a non-profit organization, composed of volunteers, developing and promoting free, open-source multimedia solutions.

Security Advisory 1108

Summary           : Heap corruption in VLC TiVo demuxer
Date              : December 2011
Affected versions : VLC media player 1.1.12 down to 0.9.0
ID                : VideoLAN-SA-1108
CVE reference     : CVE-2012-0023


When parsing the header of an invalid TY file, the heap might be corrupted.


If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution might be possible on some systems, though this is unconfirmed.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a specially crafted file.


The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the TY demux plugin (libty_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent opening of TiVo files.


VLC media player 1.1.13 addresses this issue. Patches for older versions are available from the official VLC source code repository vlc-1.1.git.


This vulnerability was reported by Clement Lecigne.


The VideoLAN project
VLC official GIT repository


20 December 2011
Vendor notification.
Patch for VLC development version, 1.2 and 1.1 trees.
Initial security advisory.
20 Decemer 2011
VLC media player 1.1.13 released.
Rémi Denis-Courmont,
on behalf of the VideoLAN project