I should apologise. I also prepared this same patch to submit over a 
year or two ago but ended up neglecting it. I also discovered these two 
CVE patches (attached)  from another distribution that i was going to 
add. Perhaps the best solution is to switch to git-reference and choose 
a more recent commit that includes all these fixes. Your patch is in 
master at 
https://github.com/taglib/taglib/commit/9336c82da3a04552168f208cd7a5fa4646701ea4 
and the two I attached are also in master.