VLC Media Player 2.0.7 mov files memory corruption vulnerability

Hi,

I have found a memory corruption vulnerability on VLC Media Player 2.0.7(tested on last nightly versions too) that could allow arbitrary cod exection. The vulnerability is caused due that the programs uses a object that already been freed , so resulting on a use after free vulnerability allowing attackers to exploit this vulnerability to control the program flow.

Tested On Windows XP SP3 VLC Media Player 2.0.7 , 2.2.0(nightly version)

Reproduce: 1 - Open VLC_mov_vuln.mov with VLC Media Player. 2. See the crash

Stacktrace(see full stacktrace on attached file):

(e84.f78): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0148fbd8 ebx=014edb28 ecx=00000000 edx=00000013 esi=00000000 edi=01463260 eip=abababab esp=0423fd54 ebp=00000000 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 Missing image name, possible paged-out or corrupt data. abababab ?? ??? 0:008> .exr -1 ExceptionAddress: abababab ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: abababab Attempt to read from address abababab 0:008> .lastevent Last event: e84.f78: Access violation - code c0000005 (first chance) debugger time: Fri Jul 19 20:19:28.156 2013 (GMT-3) 0:008> kv ChildEBP RetAddr Args to Child
WARNING: Frame IP not in any known module. Following frames may be wrong. 0423fd50 03317938 014edb28 00000000 00000000 0xabababab 00000000 00000000 00000000 00000000 00000000 libavcodec_plugin!vlc_entry_license__1_2_0l+0x3dc8

Cheers, Mario