Yes, @tehjh on Twitter pointed this out. The CBC code is in Util.cpp, _readcbc; it appears to be length-delimited instead of padded, so there's probably another error oracle in the decoding of the length/type block.

Also: in PWSfileV3.cpp, are they HMAC'ing the IV?

This is interesting; we might be able to make an exercise out of it.