Two theoretical bugs in one place.

[ac2epsilon]

I know, I know. This is an old code, non-critical and generally useless. AND that is why this becomes interesting, why in 16 years so many people missed such nuances.

I mean findframe function from checkframe.c. We try some tag headers to skip them AND collecting alient garbage. Lets take tag TAG. Imagine we have some macros with obvious functionality

#define READ_NEXT(bytes) res = cfread(++ptr, bytes, file->fp); if (res < bytes) continue;
#define ALIEN(bytes) alienbytes(file, bytes);

Now we get the following snippet of code

} else if (*ptr == 'T') { /* TAG -> ID3v1 tag */
READ_NEXT(2)
if (*ptr++ == 'A' && *ptr++ == 'G') {
skip_id3v1_tag(file);
} else ALIEN(3);
}`

First what we do wrong is ALIEN(3); We miss a case then after 'T' we have something pretty valid, like {'T', 0xFF, 0xFE} or {'T', 0, 0xFF}. So we have to rewind pointer for 2 and alientize by 1.

#define ALIEN(bytes) *ptr-=(bytes-1); alienbytes(file, 1);

Second. We pretty sure in success of our skip. No any doubts. However it is very vain. It may be better to chain skip to be sure all bytes of tag is correct and consistent, not only TAG. Probably it can be written like that

`if (*ptr++ == 'A' && *ptr++ == 'G' && skip_id3v1_tag(file) ) { /* smoke with seriosity of idler */}`
 `else ALIEN(3);`