Index: src/wp-admin/includes/media.php
===================================================================
--- src/wp-admin/includes/media.php	(revision 45226)
+++ src/wp-admin/includes/media.php	(working copy)
@@ -3260,6 +3260,35 @@
 }
 
 /**
+ * Sanitizes metadata extracted from media files.
+ *
+ * Currently only binary strings are sanitized with focus on preventing propagation of
+ * bad character encodings from causing database calls and API endpoints to fail.
+ *
+ * @param array $metadata An existing array with data
+ *
+ * @return array Returns array of sanitized metadata.
+ */
+function wp_sanitize_media_metadata( $metadata ) {
+	if ( ! is_array( $metadata ) ) {
+		return $metadata;
+	}
+	foreach ( $metadata as $name => $value ) {
+		if ( ! is_string( $value ) ) {
+			continue;
+		}
+		if ( is_array( $value ) ) {
+			$value = wp_sanitize_media_metadata( $value );
+		} elseif ( is_string( $value ) && preg_match('~[^\x20-\x7E\t\r\n]~', $value ) > 0 ) {
+			$encoding = mb_detect_encoding( $value, 'ISO-8859-1, UCS-2' );
+			$value = $encoding ? mb_convert_encoding( $value, 'UTF-8', $encoding ) : utf8_encode( $value );
+		}
+		$metadata[$name] = $value;
+	}
+	return $metadata;
+}
+
+/**
  * Retrieve metadata from a video file's ID3 tags
  *
  * @since 3.6.0
@@ -3341,6 +3370,8 @@
 
 	$file_format = isset( $metadata['fileformat'] ) ? $metadata['fileformat'] : null;
 
+	$metadata = wp_sanitize_media_metadata( $metadata );
+
 	/**
 	 * Filters the array of metadata retrieved from a video.
 	 *
@@ -3412,6 +3443,8 @@
 
 	wp_add_id3_tag_data( $metadata, $data );
 
+	$metadata = wp_sanitize_media_metadata( $metadata );
+
 	return $metadata;
 }
 
Index: src/wp-includes/post.php
===================================================================
--- src/wp-includes/post.php	(revision 45226)
+++ src/wp-includes/post.php	(working copy)
@@ -5538,7 +5538,8 @@
 	}
 
 	$data = get_post_meta( $post->ID, '_wp_attachment_metadata', true );
-
+	$data = wp_sanitize_media_metadata( $data );
+	
 	if ( $unfiltered ) {
 		return $data;
 	}