requests/status.xml in VLC 0.9.8a allows remote attackers to cause a denial of service (stack consumption and crash) via a long input argument in an in_play action.
https://www.exploit-db.com/exploits/8213
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14357
https://exchange.xforce.ibmcloud.com/vulnerabilities/49249