diff --git a/libavcodec/dfa.c b/libavcodec/dfa.c
index b20cd0e41bbb21106dee667c68345a238ed58b45..7522a05f8a5b65e8da2a2d43ff7fd124cc5e780d 100644
--- a/libavcodec/dfa.c
+++ b/libavcodec/dfa.c
@@ -261,6 +261,8 @@ static int decode_wdlt(GetByteContext *gb, uint8_t *frame, int width, int height
             segments = bytestream2_get_le16(gb);
         }
         line_ptr = frame;
+        if (frame_end - frame < width)
+            return AVERROR_INVALIDDATA;
         frame += width;
         y++;
         while (segments--) {
diff --git a/libavformat/id3v2.c b/libavformat/id3v2.c
index 989ebf2a05446e12fa520b9edeb532b8b928effa..3567bbc57b01d46b843d74d70896daa37fecf5f3 100644
--- a/libavformat/id3v2.c
+++ b/libavformat/id3v2.c
@@ -490,9 +490,9 @@ static void read_apic(AVFormatContext *s, AVIOContext *pb, int taglen, char *tag
     }
 
     apic->buf = av_buffer_alloc(taglen + FF_INPUT_BUFFER_PADDING_SIZE);
-    apic->buf->size -= FF_INPUT_BUFFER_PADDING_SIZE;
     if (!apic->buf || !taglen || avio_read(pb, apic->buf->data, taglen) != taglen)
         goto fail;
+    memset(apic->buf->data + taglen, 0, FF_INPUT_BUFFER_PADDING_SIZE);
 
     new_extra->tag    = "APIC";
     new_extra->data   = apic;
@@ -848,7 +848,7 @@ int ff_id3v2_parse_apic(AVFormatContext *s, ID3v2ExtraMeta **extra_meta)
         av_init_packet(&st->attached_pic);
         st->attached_pic.buf          = apic->buf;
         st->attached_pic.data         = apic->buf->data;
-        st->attached_pic.size         = apic->buf->size;
+        st->attached_pic.size         = apic->buf->size - FF_INPUT_BUFFER_PADDING_SIZE;
         st->attached_pic.stream_index = st->index;
         st->attached_pic.flags       |= AV_PKT_FLAG_KEY;