CVE-2023-47360: 
VLC media player vulnerability analysis and mitigation

Videolan VLC media player versions prior to 3.0.20 contain an Integer underflow vulnerability (CVE-2023-47360) that leads to an incorrect packet length in the MMS (Microsoft Media Server) protocol implementation (NVD, CVE). The vulnerability was discovered and reported on September 1, 2023, and was fixed in VLC version 3.0.20 released on October 30, 2023.

The vulnerability exists in the MMSH (MMS over HTTP) module of VLC. When calculating the data size in the GetPacket function, there is an integer underflow vulnerability due to improper handling of the isize2 parameter. The calculation p_ck->i_data = p_ck->i_size2 - 8 can result in an underflow because isize2 is a uint16t type while idata is an int type (VLC Blog). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

The integer underflow vulnerability can lead to incorrect packet length calculations in the MMS protocol implementation, potentially affecting the availability of the VLC media player (NVD). This could result in application crashes or other undefined behavior when processing MMS streams.

Users are advised to upgrade to VLC version 3.0.20 or later which contains the fix for this vulnerability. The fix was released on October 30, 2023, and has been backported to various Linux distributions (Debian LTS). The vulnerability was fixed through proper handling of packet length calculations in the MMSH module.