media player corrective release , in which the accumulated and eliminated , including three issues (CVE-2019-14970, CVE-2019-14777, CVE-2019-14533) to the execution of malicious code when trying to play specially designed multimedia files in the MKV and ASF formats (buffer overflow on the record and two problems with memory access after it is freed).
Four vulnerabilities in the OGG, AV1, FAAD, ASF format handlers are caused by the ability to read data from memory areas outside the allocated buffer. Three issues lead to NULL pointer dereferencing in the dvdnav, asf, and avi decompressors. One vulnerability allows an integer overflow in the MP4 decompressor.
Issue with OGG unpacker (CVE-2019-14438) VLC developers as reading from an area outside the buffer (read buffer overflow), but security researchers who identified the vulnerability , which can cause a write overflow and organize code execution when processing OGG, OGM and OPUS files with a specially designed header block.
There is also a vulnerability (CVE-2019-14533) in the ASF unpacker that allows writing data to an already freed memory area and causing code execution when scrolling forward or backward on the timeline during playback of WMV and WMA files. In addition, the problems CVE-2019-13602 (integer overflow) and CVE-2019-13962 (reading from an out-of-buffer area) have been assigned a critical severity level (8.8 and 9.8), but the VLC developers do not agree and consider these vulnerabilities to be harmless (they suggest changing the level at 4.3).
Non-security fixes include fixing stuttering when watching videos at low frame rates, improving support for adaptive streaming (improved buffering code), resolving issues with rendering WebVTT subtitles, improving audio output on macOS and iOS platforms, updating the script for downloading from Youtube , resolving issues with enabling Direct3D11 to apply hardware acceleration on systems with some AMD drivers.
Source: opennet.ru