CVE-2018-19937

A local attacker who has physical access to an unlocked iOS device running VLC can bypass the app's passcode lock by opening a specially crafted URL (e.g., a `vlc://` scheme URL) while the phone is being turned or rotated. The bug occurs because the `application:openURL:options:` delegate method did not enforce passcode validation before processing the URL, so the attacker can trigger media playback or other actions without entering the passcode. The "turning the phone" action likely triggers a re-layout or re-entry path that skips the passcode screen [ref_id=1].

The vulnerability resides in the iOS app delegate's handling of the `openURL:` callback. Before the patch, the `application:openURL:options:` method did not call `validatePasscodeIfNeededWithCompletion:` before processing the incoming URL, allowing the URL to be handled without passcode validation. The patch adds a passcode validation block inside `application:openURL:options:` that defers library setup and URL opening until after the passcode check completes [ref_id=1].

The fix wraps the URL-handling logic inside a `validatePasscodeIfNeededWithCompletion:` block, ensuring that the passcode is verified before the URL is processed. Additionally, the patch refactors the initial library setup into a separate `setupLibrary` method that is called only after passcode validation, preventing the app from exposing its full interface before the passcode check completes [ref_id=1].