VideoLAN, a project and a non-profit organization.

Security Advisory 1104

Summary           : Integer overflow in XSPF playlist parser
Date              : 07 June 2011
Affected versions : VLC media player 1.1.9 down to 0.8.5
ID                : VideoLAN-SA-1104
CVE references    : CVE-2011-2194


VLC media player suffers from an integer overflow vulnerability in the XSPF playlist file parser.


If successful, a malicious third party could crash the player instance. Arbitrary code execution within the context of VLC media player might be possible, though it seems impractical.

Threat mitigation

Exploitation of those bugs requires the user to explicitly open specifically crafted malicious files.


The user may refrain from opening files from untrusted sources.

Alternatively, the playlist plugin (demux/libplaylist_plugin.*) can be removed. This will however prevent use of any of all supported playlist file formats.


VLC media player 1.1.10 addresses this issue and introduces further stability fixes.


This vulnerability was reported by Rocco Calvi from stratsec on the VLC bug tracker.


The VideoLAN Project


08 June 2011
CVE identifer assigned
07 June 2011
Initial advisory
06 June 2011
VLC 1.1.10 released
04 June 2011
Bug fixed
03 June 2011
Bug reported
Rémi Denis-Courmont,
on behalf of the VideoLAN project