diff --git a/libavformat/rtpdec.c b/libavformat/rtpdec.c
index 07f4cc35c5..0f6ed27ff6 100644
--- a/libavformat/rtpdec.c
+++ b/libavformat/rtpdec.c
@@ -112,14 +112,15 @@ RTPDynamicProtocolHandler *ff_rtp_handler_find_by_id(int id,
 static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int len)
 {
     int payload_len;
-    while (len >= 2) {
+    while (len >= 4) {
+        payload_len = FFMIN(len, (AV_RB16(buf + 2) + 1) * 4);
+
         switch (buf[1]) {
         case RTCP_SR:
-            if (len < 20) {
+            if (payload_len < 20) {
                 av_log(NULL, AV_LOG_ERROR, "Invalid length for RTCP SR packet\n");
                 return AVERROR_INVALIDDATA;
             }
-            payload_len = (AV_RB16(buf + 2) + 1) * 4;
 
             s->last_rtcp_ntp_time = AV_RB64(buf + 8);
             s->last_rtcp_timestamp = AV_RB32(buf + 16);
@@ -130,14 +131,13 @@ static int rtcp_parse_packet(RTPDemuxContext *s, const unsigned char *buf, int l
                 s->rtcp_ts_offset = s->last_rtcp_timestamp - s->base_timestamp;
             }
 
-            buf += payload_len;
-            len -= payload_len;
             break;
         case RTCP_BYE:
             return -RTCP_BYE;
-        default:
-            return -1;
         }
+
+        buf += payload_len;
+        len -= payload_len;
     }
     return -1;
 }