diff --git a/libavcodec/cdgraphics.c b/libavcodec/cdgraphics.c
index 1f666fc363..eb315321ce 100644
--- a/libavcodec/cdgraphics.c
+++ b/libavcodec/cdgraphics.c
@@ -218,7 +218,7 @@ static void cdg_scroll(CDGraphicsContext *cc, uint8_t *data,
     vscmd = (data[2] & 0x30) >> 4;
 
     h_off =  FFMIN(data[1] & 0x07, CDG_BORDER_WIDTH  - 1);
-    v_off =  FFMIN(data[2] & 0x07, CDG_BORDER_HEIGHT - 1);
+    v_off =  FFMIN(data[2] & 0x0F, CDG_BORDER_HEIGHT - 1);
 
     /// find the difference and save the offset for cdg_tile_block usage
     hinc = h_off - cc->hscroll;
diff --git a/libavformat/apetag.c b/libavformat/apetag.c
index bf9918a0b3..a445c84aef 100644
--- a/libavformat/apetag.c
+++ b/libavformat/apetag.c
@@ -142,11 +142,11 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
         return 0;
     }
 
-    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
-    if (tag_start < 0) {
+    if (tag_bytes > file_size - APE_TAG_FOOTER_BYTES) {
         av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes);
         return 0;
     }
+    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
 
     fields = avio_rl32(pb);    /* number of fields */
     if (fields > 65536) {
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 14aa9e01c6..3b3cf79201 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -689,13 +689,15 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
         /* check for text tag or supported special meta tag */
         } else if (tag[0] == 'T' || (extra_meta && (extra_func = get_extra_meta_func(tag, isv34)))) {
             if (unsync || tunsync || tcomp) {
-                int i, j;
+                int64_t end = avio_tell(s->pb) + tlen;
+                uint8_t *b;
 
                 av_fast_malloc(&buffer, &buffer_size, dlen);
                 if (!buffer) {
                     av_log(s, AV_LOG_ERROR, "Failed to alloc %ld bytes\n", dlen);
                     goto seek;
                 }
+                b = buffer;
 #if CONFIG_ZLIB
                 if (tcomp) {
                     int n, err;
@@ -719,19 +721,24 @@ static void ff_id3v2_parse(AVFormatContext *s, int len, uint8_t version, uint8_t
                         av_log(s, AV_LOG_ERROR, "Failed to uncompress tag: %d\n", err);
                         goto seek;
                     }
+                    b += dlen;
                 }
 #endif
-
-                for (i = 0, j = 0; i < dlen; i++, j++) {
-                    if (!tcomp)
-                        buffer[j] = avio_r8(s->pb);
-                    if (j > 0 && !buffer[j] && buffer[j - 1] == 0xff) {
-                        /* Unsynchronised byte, skip it */
-                        j--;
+                if (unsync || tunsync) {
+                    if (tcomp) {
+                        av_log_ask_for_sample(s, "tcomp with unsync\n");
+                        goto seek;
+                    }
+                while (avio_tell(s->pb) < end) {
+                    *b++ = avio_r8(s->pb);
+                    if (*(b - 1) == 0xff && avio_tell(s->pb) < end - 1) {
+                        uint8_t val = avio_r8(s->pb);
+                        *b++ = val ? val : avio_r8(s->pb);
                     }
                 }
-                ffio_init_context(&pb, buffer, j, 0, NULL, NULL, NULL, NULL);
-                tlen = j;
+                }
+                ffio_init_context(&pb, buffer, b - buffer, 0, NULL, NULL, NULL, NULL);
+                tlen = b - buffer;
                 pbx = &pb; // read from sync buffer
             } else {
                 pbx = s->pb; // read straight from input