diff --git a/libavcodec/h264_mp4toannexb_bsf.c b/libavcodec/h264_mp4toannexb_bsf.c
index f6ff369940..79f025d305 100644
--- a/libavcodec/h264_mp4toannexb_bsf.c
+++ b/libavcodec/h264_mp4toannexb_bsf.c
@@ -182,7 +182,7 @@ static void h264_mp4toannexb_modify_encryption_info(AVPacket *pkt, uint64_t new_
         return;
     }
     side_data = (AV_DrmCencInfo *)av_packet_get_side_data(pkt, AV_PKT_DATA_ENCRYPTION_INFO, &side_data_size);
-    if ((side_data != NULL) && (side_data_size != 0)) {
+    if ((side_data != NULL) && (side_data_size != 0) && (side_data->sub_sample_num <= AV_DRM_MAX_SUB_SAMPLE_NUM)) {
         uint64_t total_size = 0;
         for (uint32_t i = 0; i < side_data->sub_sample_num; i++) {
             total_size +=
diff --git a/libavformat/mpegts.c b/libavformat/mpegts.c
index 4ea003012b..c0e26181e5 100644
--- a/libavformat/mpegts.c
+++ b/libavformat/mpegts.c
@@ -669,7 +669,7 @@ static int mpegts_drm_get_iv(uint8_t *data, uint32_t data_size, uint32_t *pos, A
     }
     uint32_t iv_len = (uint32_t)(data[offset]);
     offset += 1; // 1 skip iv len
-    if (offset + iv_len > data_size) {
+    if ((offset + iv_len > data_size) || (iv_len > AV_DRM_IV_SIZE)) {
         av_log(NULL, AV_LOG_ERROR, "cei data too short\n");
         return -1;
     } else {