diff --git a/profiles/audio/avrcp.c b/profiles/audio/avrcp.c
index 98a0ea2..4d39a01 100644
--- a/profiles/audio/avrcp.c
+++ b/profiles/audio/avrcp.c
@@ -2108,16 +2108,17 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 						size_t operand_count,
 						void *user_data)
 {
+	struct avrcp_browsing_header *pdu = (void *) operands;
 	struct avrcp *session = user_data;
 	uint16_t count;
-	int i;
+	size_t i;
 
-	if (operands[3] != AVRCP_STATUS_SUCCESS || operand_count < 5)
+	if (pdu->params[0] != AVRCP_STATUS_SUCCESS || operand_count < 5)
 		return FALSE;
 
 	count = bt_get_be16(&operands[6]);
 
-	for (i = 8; count; count--) {
+	for (i = 8; count && i < operand_count; count--) {
 		uint8_t type;
 		uint16_t len;
 
@@ -2130,7 +2131,14 @@ static gboolean avrcp_get_media_player_list_rsp(struct avctp *conn,
 			continue;
 		}
 
+		if (i + len > operand_count) {
+			error("Invalid player item length");
+			return FALSE;
+		}
+
 		avrcp_parse_media_player_item(session, &operands[i], len);
+
+		i += len;
 	}
 
 	return FALSE;