diff --git a/lib/tokenize.cpp b/lib/tokenize.cpp
index 8278cc29dd3..5f9ee4809a7 100644
--- a/lib/tokenize.cpp
+++ b/lib/tokenize.cpp
@@ -860,6 +860,10 @@ namespace {
                     Token::createMutualLinks(tok3->next(), after->previous());
                 }
             }
+            if (!after) {
+                mReplaceFailed = true;
+                return;
+            }
 
             bool useAfterVarRange = true;
             if (Token::simpleMatch(mRangeAfterVar.first, "[")) {
@@ -1124,7 +1128,9 @@ void Tokenizer::simplifyTypedef()
     {
         // remove typedefs
         for (auto &t: typedefs) {
-            if (!t.second.replaceFailed()) {
+            if (t.second.replaceFailed()) {
+                syntaxError(t.second.getTypedefToken());
+            } else {
                 const Token* const typedefToken = t.second.getTypedefToken();
                 TypedefInfo typedefInfo;
                 typedefInfo.name = t.second.name();
diff --git a/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893 b/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893
new file mode 100644
index 00000000000..c45497a8601
--- /dev/null
+++ b/test/cli/fuzz-crash/crash-44b5d1f53328660cbcb6e90793eae2ff8ffc4893
@@ -0,0 +1 @@
+typedef q r[];r A
\ No newline at end of file