Commit at $URL; from http://mailman.videolan.org/pipermail/vlc-devel/2011-January/078607.html: I ran into some corrupt mkv that'd crash vlc. Debugging revealed an issue in StripTags() function: It can run past the input string termination resulting in a heap corruption. Assuming the input string contains a '<' char but doesn't include the terminating '>' the routine will run past end of the string termination. It happens because of psz_subtitle += strcspn( psz_subtitle, ">" ); in combination with psz_subtitle++; will advance psz_subtitle past the string termination. Bytes after the string termination will be copied to the destination buffer, smashing the heap. From the upstream commit log [1], this appears to have been merged after the 1.1.6 release. [1] http://git.videolan.org/gitweb.cgi?p=vlc/vlc-1.1.git;a=shortlog;h=dc14617f39c03bbe80c3cc4f92799dca840966eb
CVE-2011-0522 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-0522): The StripTags function in (1) the USF decoder (modules/codec/subtitles/subsdec.c) and (2) the Text decoder (modules/codec/subtitles/subsusf.c) in VideoLAN VLC Media Player 1.1 before 1.1.6-rc allows remote attackers to execute arbitrary code via a subtitle with an opening "<" without a closing ">" in an MKV file, which triggers heap memory corruption, as demonstrated using refined-australia-blu720p-sample.mkv.
This issue was resolved and addressed in GLSA 201411-01 at http://security.gentoo.org/glsa/glsa-201411-01.xml by GLSA coordinator Sean Amoss (ackle).