VideoLAN, a project and a non-profit organization.

Security Advisory 1202

Summary           : Heap overflows in VLC Real RTSP support.
Date              : March 2012
Affected versions : VLC media player all versions up to 2.0.1
ID                : VideoLAN-SA-1202
CVE reference     : CVE-2012-1776


Details will be known later.


If successful, a malicious third party could crash the VLC media player process. Arbitrary code execution could be possible on some systems.

Threat mitigation

Exploitation of this issue requires the user to explicitly open a specially crafted file.


The user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied.

Alternatively, the realrtsp access plugin (libaccess_realrtsp_plugin.*) can be removed manually from the VLC plugin installation directory. This will prevent opening of Real rtsp streams.


VLC media player 2.0.1 addresses this issue. Patches for older versions will be available through the git repositories


This vulnerability was reported by Florent Hochwelker, aka TaPiOn.


The VideoLAN project


12 March 2012
Vendor notification.
Private patch for VLC development version, 2.0 and 1.1 trees.
Initial security advisory.
15 March 2012
Official patch merged in VLC development version, 2.0 and 1.1 trees.
Jean-Baptiste Kempf,
on behalf of the VideoLAN project