VideoLAN, a project and a non-profit organization.

Security Advisory 1002

Summary           : Buffer overflow in ancient VLC media player 
Date              : March 2010
Affected versions : VLC media player 0.8.6 to 0.8.6d 
ID                : VideoLAN-SA-1002
CVE reference     : CVE-2010-0364


fl0 fl0w claims to have found a buffer overflow in SSA subtitles parsing in VLC media player 0.8.6 to 0.8.6d. This is actually a subset of a collections of buffer overflows discovered and fixed in late 2007 - early 2008.

See our advisory VideoLAN-SA-0801 for more informations.

Threat mitigation

This issue only affects users of very old VLC versions.


Update to the latest VLC media player (1.0.5 at the time of writing).


The VideoLAN project


February 2010
Vendor awareness.
22 March 2010
Initial security advisory.

Christophe Mutricy,
on behalf of the VideoLAN project