diff --git a/taglib/mp4/mp4chapterlist.cpp b/taglib/mp4/mp4chapterlist.cpp
index 606de55b..5314e4fa 100644
--- a/taglib/mp4/mp4chapterlist.cpp
+++ b/taglib/mp4/mp4chapterlist.cpp
@@ -83,7 +83,8 @@ namespace
         unsigned int count = data.toUInt();
         file->seek(atom->offset() + 16);
         unsigned int pos = 4;
-        while(count--) {
+        const unsigned int maxPos = data.size() - 4;
+        while(count-- && pos <= maxPos) {
           auto o = static_cast<offset_t>(data.toUInt(pos));
           if(o > offset)
             o += delta;
@@ -101,7 +102,8 @@ namespace
         unsigned int count = data.toUInt();
         file->seek(atom->offset() + 16);
         unsigned int pos = 4;
-        while(count--) {
+        const unsigned int maxPos = data.size() - 8;
+        while(count-- && pos <= maxPos) {
           long long o = data.toLongLong(pos);
           if(o > offset)
             o += delta;
diff --git a/taglib/mp4/mp4qtchapterlist.cpp b/taglib/mp4/mp4qtchapterlist.cpp
index 3afc572a..ccdeccfb 100644
--- a/taglib/mp4/mp4qtchapterlist.cpp
+++ b/taglib/mp4/mp4qtchapterlist.cpp
@@ -95,7 +95,8 @@ namespace
         unsigned int count = data.toUInt();
         file->seek(atom->offset() + 16);
         unsigned int pos = 4;
-        while(count--) {
+        const unsigned int maxPos = data.size() - 4;
+        while(count-- && pos <= maxPos) {
           auto o = static_cast<offset_t>(data.toUInt(pos));
           if(o > offset)
             o += delta;
@@ -113,7 +114,8 @@ namespace
         unsigned int count = data.toUInt();
         file->seek(atom->offset() + 16);
         unsigned int pos = 4;
-        while(count--) {
+        const unsigned int maxPos = data.size() - 8;
+        while(count-- && pos <= maxPos) {
           long long o = data.toLongLong(pos);
           if(o > offset)
             o += delta;