> For any program which receive external file, to check the input file is necessary to do, isn't it?

Yes and no.  wave.py is doing checking and can raise various exceptions.  So a well-designed program has to be prepared to handle exceptions when calling wave.py.  The suggested fix would provide a more specific error message and exception, rather than a division by zero one, but the net effect to the caller of wave.py is the same.

> And program error lead to security bug, that's not right?

No. Just because a program can terminate due to an uncaught exception is not by itself considered a security error.  See https://www.python.org/news/security/ for a discussion. In particular, "The general rule is any attack worth reporting via the security address must allow an attacker to affect the confidentiality, integrity and availability of the Python application or its system for which the attacker does not already have the capability."  As things stand now, if an application is vulnerable to a denial-of-service attack due to a faulty wav file, it is a failure in that application to be handling possible exceptions from wave.py, not a security issue in Python itself.