diff --git a/lib/templatesimplifier.cpp b/lib/templatesimplifier.cpp
index 1f90593560f..1291993990d 100644
--- a/lib/templatesimplifier.cpp
+++ b/lib/templatesimplifier.cpp
@@ -690,6 +690,8 @@ bool TemplateSimplifier::getTemplateDeclarations()
             else if (Token::Match(tok2, "{|=|;")) {
                 const int namepos = getTemplateNamePosition(parmEnd);
                 if (namepos > 0) {
+                    if (!tok->scopeInfo())
+                        syntaxError(tok);
                     TokenAndName decl(tok, tok->scopeInfo()->name, parmEnd->tokAt(namepos), parmEnd);
                     if (decl.isForwardDeclaration()) {
                         // Declaration => add to mTemplateForwardDeclarations
diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 952ba4b6c00..f113e0af016 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -8936,12 +8936,16 @@ void Tokenizer::findGarbageCode() const
             syntaxError(tok);
         if (Token::Match(tok, "& %comp%|&&|%oror%|&|%or%") && tok->strAt(1) != ">")
             syntaxError(tok);
+        if (Token::Match(tok, "%comp%|&&|%oror%|&|%or% }") && tok->str() != ">")
+            syntaxError(tok);
         if (Token::Match(tok, "^ %op%") && !Token::Match(tok->next(), "[>*+-!~]"))
             syntaxError(tok);
         if (Token::Match(tok, ": [)]=]"))
             syntaxError(tok);
         if (Token::Match(tok, "typedef [,;:]"))
             syntaxError(tok);
+        if (Token::Match(tok, "? %assign%"))
+            syntaxError(tok);
         if (Token::Match(tok, "!|~ %comp%") &&
             !(cpp && tok->strAt(1) == ">" && Token::simpleMatch(tok->tokAt(-1), "operator")))
             syntaxError(tok);
diff --git a/lib/tokenlist.cpp b/lib/tokenlist.cpp
index 2ed39b82f43..1e476a14ec5 100644
--- a/lib/tokenlist.cpp
+++ b/lib/tokenlist.cpp
@@ -295,6 +295,8 @@ void TokenList::insertTokens(Token *dest, const Token *src, nonneg int n)
     std::stack<Token *> link;
 
     while (n > 0) {
+        if (!src)
+            throw InternalError(dest, std::string(__func__) + ": invalid source range", InternalError::INTERNAL);
         dest->insertToken(src->str(), src->originalName());
         dest = dest->next();
 
diff --git a/test/cli/fuzz-crash/crash-9eb2c9e545b361a17d74ccd4e8c933ca65542b12 b/test/cli/fuzz-crash/crash-9eb2c9e545b361a17d74ccd4e8c933ca65542b12
new file mode 100644
index 00000000000..8d7829b6343
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-9eb2c9e545b361a17d74ccd4e8c933ca65542b12
@@ -0,0 +1 @@
+{template<>i}template<>fact2(){fact2<3>()}
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-a03d001b1336e191debffcde652ce5fb63d0a7d6 b/test/cli/fuzz-crash/crash-a03d001b1336e191debffcde652ce5fb63d0a7d6
new file mode 100644
index 00000000000..0a3ef8a3bb2
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-a03d001b1336e191debffcde652ce5fb63d0a7d6
@@ -0,0 +1 @@
+(c[?=3:4])p
\ No newline at end of file
diff --git a/test/cli/fuzz-crash/crash-c36b9a5f7fce91031cb578ef591f90d48d95a7f4 b/test/cli/fuzz-crash/crash-c36b9a5f7fce91031cb578ef591f90d48d95a7f4
new file mode 100644
index 00000000000..094721301b9
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-c36b9a5f7fce91031cb578ef591f90d48d95a7f4
@@ -0,0 +1 @@
+c<a<s>s=t,{;{}}>l
\ No newline at end of file
diff --git a/test/cli/fuzz-crash_c/crash-24c217c96d177b8dff4028bce639756d6a8c6088 b/test/cli/fuzz-crash_c/crash-24c217c96d177b8dff4028bce639756d6a8c6088
new file mode 100644
index 00000000000..161962b6fe4
--- /dev/null
+++ b/test/cli/fuzz-crash_c/crash-24c217c96d177b8dff4028bce639756d6a8c6088
@@ -0,0 +1 @@
+f(S=n){n*,n&&}
\ No newline at end of file
diff --git a/test/cli/fuzz_test.py b/test/cli/fuzz_test.py
index b8cf09a5657..f1dbcd2983e 100644
--- a/test/cli/fuzz_test.py
+++ b/test/cli/fuzz_test.py
@@ -11,9 +11,9 @@ def test_fuzz_crash():
 
     fuzz_crash_dir = os.path.join(__script_dir, 'fuzz-crash')
     for f in os.listdir(fuzz_crash_dir):
-        ret, stdout, _ = cppcheck(['-q', '--language=c++', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
+        ret, stdout, stderr = cppcheck(['-q', '--language=c++', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
         if ret != 0:
-            failures[f] = stdout
+            failures[f] = stdout + stderr
 
     assert failures == {}
 
@@ -26,9 +26,9 @@ def test_fuzz_crash_c():
     if not os.path.exists(fuzz_crash_dir):
         return
     for f in os.listdir(fuzz_crash_dir):
-        ret, stdout, _ = cppcheck(['-q', '--language=c', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
+        ret, stdout, stderr = cppcheck(['-q', '--language=c', '--enable=all', '--inconclusive', f], cwd=fuzz_crash_dir)
         if ret != 0:
-            failures[f] = stdout
+            failures[f] = stdout + stderr
 
     assert failures == {}