Skip to main content

Notice

Please note that most of the software linked on this forum is likely to be safe to use. If you are unsure, feel free to ask in the relevant topics, or send a private message to an administrator or moderator. To help curb the problems of false positives, or in the event that you do find actual malware, you can contribute through the article linked here.
Recent Posts
1
General - (fb2k) / Re: Filtering Duplicate FLACs Using MD5 Hash
Last post by VivinCels -
I just create column in playlist, in pattern I set $info(md5)
Spoiler (click to show/hide)
I have another question. Is it possible to automatically remove lines from the playlist that do not have duplicates with the same values ​ ​ in a specific column? In this case, I would like only groups of duplicates to remain in the playlist. Like this:
Spoiler (click to show/hide)
6
General - (fb2k) / Re: can i convert dsd to wav?
Last post by Valter -
thank you all for the answers,
I need to study and take a look at all the variables.
I'm preparing some documentation with screenshot examples and detailed description of what worked well and the iso file from which the conversion creates shortened files.
8
Validated News / Re: Critical bug in ALAC decoding software in Android
Last post by ktf -
Obviously FFmpeg decoder was written from scratch by a competent person and doesn't suffer from any of these issues.
Also, the bugs mentioned in the article can be found by proper fuzz testing. ffmpeg is being continuously fuzz-tested for issues such as these.

Edit: See for example this list of fixed bugs found by oss-fuzz in ffmpegs WavPack decoder, of which 3 are security related. This is just one of the many decoders in ffmpeg.
10
Validated News / Re: Critical bug in ALAC decoding software in Android
Last post by Peter -
Apparently the details are out-
https://research.checkpoint.com/2022/bad-alac-one-codec-to-hack-the-whole-world/

Bug #1:
Unchecked allocation of samples*4 - original code misused calloc() for this, which was precisely meant to mitigate such, only they didn't let calloc() do the math and fail.
Unfortunately foobar2000 versions prior to latest are vulnerable.

Bug #2:
Unchecked "partial" frame larger than nominal frame - old, I found and fixed this years ago.

There is a third bug in Apple code, found by me after reading the initial article:
Decoding of Single Channel Elements is not range checked against the number of expected channels in the stream, effectively also allowing out of bounds write to output buffer, just like unchecked partial frame did.
I expect Qualcomm using Apple library to have this also. Shairport code supposedly used by MediaTek appears to be completely missing relevant features and just fails to decode anything that's not plain mono or plain stereo so they're safe.
I have done some quick tests and could not confirm bad behavior of Android/Qualcomm phone playing an offending sample. I do not have the resources to thoroughly verify if/what other software/hardware is also vulnerable to this (old foobar2000 was, now fixed).

I just updated my fork of the Apple library with latest fixes-
https://perkele.cc/software/ALAC
It's a drop-in replacement for the original code, everyone is welcome to use it or merge fixes over.