VideoLAN, a project and a non-profit organization.

Security Advisory 1001

Summary           : Clam AntiVirus input validation error
Date              : February 2010
Affected versions : VLC media player 1.0.5 for Windows
                    Clam AntiVirus all versions
ID                : VideoLAN-SA-1001
CVE reference     : N/A


Clam AntiVirus incorrectly claims that the x86 SSE2-accelerated I:4:2:2 chroma conversion plugin as being a computer trojan. This affects builds of VLC media player with recent versions of the MingW compilation toolchain.


Copy, installation and/or use of VLC media player or applications based on LibVLC may be impossible.

Threat mitigation

This issue only affects users of Clam AntiVirus or anti-virus software using the same virus database.


Remove Clam AntiVirus before downloading VLC media player.

An anti-virus database has to be up-to-date to be of much use. Around 20% of tested antivirus incorrectly detected as VLC 1.0.5 as a trojan at the time of release. Kaspersky Anti-Virus was updated within one business day. The VideoLAN project advises against the use of Clam AntiVirus. Users should not rely on a security software which fails to be updated within a full month period (to date).


This vulnerability was reported by many different people individiually.


The VideoLAN project


28 January 2010
VLC media player 1.0.5 released.
15 February 2010 (probably earlier)
Vendor notification.
28 February 2010
Initial security advisory.

Rémi Denis-Courmont,
on behalf of the VideoLAN project