Yesterday we reported on a vulnerability in libmodplug which is used by media players like VLC and Gstreamer, today it has been revealed that there is another vulnerability in VLC, this time a heap corruption in the MP4 demultiplexer. All versions of the VLC media player from V1.0.0 to the current V1.1.8 are affected.
According to the advisory, when VLC parses some MP4 (MPEG-4 Part 14) files, an insufficient buffer size might lead to corruption of the heap. If successful, it is not yet known if a malicious third party might be able to trigger execution of arbitrary code. However successful exploitation of this bug can crash the media player.
As with the libmodplug issue reported yesterday, exploitation of this issue requires the user to explicitly open an MP4 file with specially crafted content. The workaround, until VLC media player 1.1.9 is released is to not open MP4 files from untrusted third parties or accessing untrusted remote sites. Alternatively, the MP4 decoder plugin (libmp4_plugin.*) can be removed manually from the VLC plugin installation directory.