Can malicious code fit in 14 bytes?

Yes, it can. It could be just the trigger vulnerability which would load data on specific areas of the movie in memory and execute.

The malicious part can be pretty small, and the payload could be stored elsewhere. After extracting and executing the payload, additional modules can be downloaded, doing way more than the loader.

It's like most malware infections work: a small component, called the "dropper", is executed first and it downloads and executes other modules, until the entire malware is downloaded and executed. Those 14 bytes may very much be a dropper.

In this specific case, those 14 bytes could load parts of the movie on memory, load its address into the register, and jump into it. Examining only the video would not show anything suspicious, as the code would look like video data (or metadata), but the 14 bytes from the loader would stand out.

It really depends on the programming language and the context into which the code is being injected.

For examples of what can be done in a very small amount of code space, check out the Code Golf Stack Exchange site.

It can absolutely fit. For example, this CTF challenge solution attacks a binary that executes ~12 bytes. The payload sent is:

0:  54                      push   rsp
1:  5e                      pop    rsi
0000000000000002 <y>:
2:  31 e2                   xor    edx,esp
4:  0f 05                   syscall
6:  eb fa                   jmp    2 <y>

(assumes all registers are zeroed out)

This is only 8 bytes for a complete pwn which gives you code execution, which then leads to a remote shell.

Of course, this is highly targeted, but it serves as an example.