diff --git a/libmpcodecs/vd_realvid.c b/libmpcodecs/vd_realvid.c
index 6bee6c2aca..acdc38ee3f 100644
--- a/libmpcodecs/vd_realvid.c
+++ b/libmpcodecs/vd_realvid.c
@@ -253,7 +253,10 @@ static int init(sh_video_t *sh){
 	}
 	// setup rv30 codec (codec sub-type and image dimensions):
 	if((sh->format<=0x30335652) && (extrahdr[1]>=0x20200002)){
-	    uint32_t cmsg24[4]={sh->disp_w,sh->disp_h,((unsigned short *)extrahdr)[4],((unsigned short *)extrahdr)[5]};
+	    // We could read nonsense data while filling this, but input is big enough so no sig11
+	    uint32_t cmsg24[8]={sh->disp_w,sh->disp_h,((unsigned char *)extrahdr)[8]*4,((unsigned char *)extrahdr)[9]*4,
+	                        ((unsigned char *)extrahdr)[10]*4,((unsigned char *)extrahdr)[11]*4,
+	                        ((unsigned char *)extrahdr)[12]*4,((unsigned char *)extrahdr)[13]*4};
 	    cmsg_data_t cmsg_data={0x24,1+((extrahdr[0]>>16)&7), &cmsg24[0]};
 
 #ifdef USE_WIN32DLL
diff --git a/libmpdemux/demux_real.c b/libmpdemux/demux_real.c
index 86c16b89cd..111998b507 100644
--- a/libmpdemux/demux_real.c
+++ b/libmpdemux/demux_real.c
@@ -1447,8 +1447,8 @@ void demux_open_real(demuxer_t* demuxer)
 		    mp_msg(MSGT_DEMUX,MSGL_V,"video fourcc: %.4s (%x)\n", (char *)&sh->format, sh->format);
 
 		    /* emulate BITMAPINFOHEADER */
-		    sh->bih = malloc(sizeof(BITMAPINFOHEADER)+12);
-		    memset(sh->bih, 0, sizeof(BITMAPINFOHEADER)+12);
+		    sh->bih = malloc(sizeof(BITMAPINFOHEADER)+16);
+		    memset(sh->bih, 0, sizeof(BITMAPINFOHEADER)+16);
 	    	    sh->bih->biSize = 48;
 		    sh->disp_w = sh->bih->biWidth = stream_read_word(demuxer->stream);
 		    sh->disp_h = sh->bih->biHeight = stream_read_word(demuxer->stream);
@@ -1517,9 +1517,19 @@ void demux_open_real(demuxer_t* demuxer)
 		    }
 
 		    if((sh->format<=0x30335652) && (tmp>=0x20200002)){
-			// read secondary WxH for the cmsg24[] (see vd_realvid.c)
-			((unsigned short*)(sh->bih+1))[4]=4*(unsigned short)stream_read_char(demuxer->stream); //widht
-			((unsigned short*)(sh->bih+1))[5]=4*(unsigned short)stream_read_char(demuxer->stream); //height
+			    // read data for the cmsg24[] (see vd_realvid.c)
+			    unsigned int cnt = codec_data_size - (stream_tell(demuxer->stream) - codec_pos);
+			    if (cnt < 2) {
+			        mp_msg(MSGT_DEMUX, MSGL_ERR,"realvid: cmsg24 data too short (size %u)\n", cnt);
+			    } else  {
+			        int ii;
+			        if (cnt > 6) {
+			            mp_msg(MSGT_DEMUX, MSGL_WARN,"realvid: cmsg24 data too big, please report (size %u)\n", cnt);
+			            cnt = 6;
+			        }
+			        for (ii = 0; ii < cnt; ii++)
+			            ((unsigned char*)(sh->bih+1))[8+ii]=(unsigned short)stream_read_char(demuxer->stream);
+			    }
 		    } 
 		    
 		    /* Select video stream with highest bitrate if multirate file*/