VideoLAN association
A project and a non-profit organization, composed of volunteers, developing and promoting free, open-source multimedia solutions.

Security Advisory 1201

Summary           : Stack overflow in VLC MMS support
Date              : March 2012
Affected versions : VLC media player all versions up to 2.0.1
ID                : VideoLAN-SA-1201
CVE reference     : CVE-2012-1775


Details will be known later.


If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution should be possible on most systems.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a specially crafted file.


The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the MMS access plugin (libaccess_mms_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent opening of MMS:// streams.


VLC media player 2.0.1 addresses this issue. Patches for older versions will be available through the git repositories


This vulnerability was reported by Florent Hochwelker, aka TaPiOn.


The VideoLAN project


12 March 2012
Vendor notification.
Private patch for VLC development version, 2.0 and 1.1 trees.
Initial security advisory.
15 March 2012
Official patch merged in VLC development version, 2.0 and 1.1 trees.
Jean-Baptiste Kempf,
on behalf of the VideoLAN project