Look at the supported formats lists. It includes so many parsers, mostly written in C, which means there probably are a few dozen ways to exploit the player.
Can you tell us about any prior or active incidents like that though?
That is, I'm calling you out for fearmongering, for a possible what-if, but given how popular VLC is you'd think it would've happened / is actively happening already. And there is no evidence for that.