diff --git a/mpp/codec/dec/h264/h264d_sei.c b/mpp/codec/dec/h264/h264d_sei.c
index be4217b5..2ae3b719 100644
--- a/mpp/codec/dec/h264/h264d_sei.c
+++ b/mpp/codec/dec/h264/h264d_sei.c
@@ -17,6 +17,7 @@
 
 #define MODULE_TAG  "h264d_sei"
 
+#include <limits.h>
 #include <stdio.h>
 #include <string.h>
 
@@ -249,6 +250,12 @@ MPP_RET process_sei(H264_SLICE_t *currSlice)
         tmp_byte = 0xFF;
         sei_msg->type = 0;
         while (tmp_byte == 0xFF) {
+            if (p_bitctx->bytes_left_ < 2 || sei_msg->type > INT_MAX - 255) {
+                mpp_err("parse payload_type error: byte_left %d payload_type %d\n",
+                        p_bitctx->bytes_left_, sei_msg->type);
+                return MPP_ERR_STREAM;
+            }
+
             READ_BITS(p_bitctx, 8, &tmp_byte);
             sei_msg->type += tmp_byte;
         }
@@ -256,10 +263,22 @@ MPP_RET process_sei(H264_SLICE_t *currSlice)
         tmp_byte = 0xFF;
         sei_msg->payload_size = 0;
         while (tmp_byte == 0xFF) {
+            if ((RK_S32)p_bitctx->bytes_left_ < sei_msg->payload_size + 1) {
+                mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                        p_bitctx->bytes_left_, sei_msg->payload_size + 1);
+                return MPP_ERR_STREAM;
+            }
+
             READ_BITS(p_bitctx, 8, &tmp_byte);
             sei_msg->payload_size += tmp_byte;
         }
 
+        if ((RK_S32)p_bitctx->bytes_left_ < sei_msg->payload_size) {
+            mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                    p_bitctx->bytes_left_, sei_msg->payload_size);
+            return MPP_ERR_STREAM;
+        }
+
         H264D_DBG(H264D_DBG_SEI, "SEI type %d, payload size: %d\n", sei_msg->type, sei_msg->payload_size);
 
         memset(&payload_bitctx, 0, sizeof(payload_bitctx));
diff --git a/mpp/codec/dec/h265/h265d_sei.c b/mpp/codec/dec/h265/h265d_sei.c
index d7009ca7..45a9a1c4 100644
--- a/mpp/codec/dec/h265/h265d_sei.c
+++ b/mpp/codec/dec/h265/h265d_sei.c
@@ -422,15 +422,33 @@ MPP_RET mpp_hevc_decode_nal_sei(HEVCContext *s)
         payload_size = 0;
         byte = 0xFF;
         while (byte == 0xFF) {
+            if (gb->bytes_left_ < 2 || payload_type > INT_MAX - 255) {
+                mpp_err("parse payload_type error: byte_left %d payload_type %d\n",
+                        gb->bytes_left_, payload_type);
+                return MPP_ERR_STREAM;
+            }
+
             READ_BITS(gb, 8, &byte);
             payload_type += byte;
         }
         byte = 0xFF;
         while (byte == 0xFF) {
+            if ((RK_S32)gb->bytes_left_ < payload_size + 1) {
+                mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                        gb->bytes_left_, payload_size + 1);
+                return MPP_ERR_STREAM;
+            }
+
             READ_BITS(gb, 8, &byte);
             payload_size += byte;
         }
 
+        if ((RK_S32)gb->bytes_left_ < payload_size) {
+            mpp_err("parse payload_size error: byte_left %d payload_size %d\n",
+                    gb->bytes_left_, payload_size);
+            return MPP_ERR_STREAM;
+        }
+
         memset(&payload_bitctx, 0, sizeof(payload_bitctx));
         mpp_set_bitread_ctx(&payload_bitctx, s->HEVClc->gb.data_, payload_size);
         mpp_set_bitread_pseudo_code_type(&payload_bitctx, PSEUDO_CODE_H264_H265_SEI);