diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt
index a4af925..daacf03 100644
--- a/fuzz/CMakeLists.txt
+++ b/fuzz/CMakeLists.txt
@@ -146,6 +146,9 @@ set(CORPUS_OTHER
   99999b.fuzz
   99999c.fuzz
   99999d.fuzz
+  99999e.fuzz
+  369662293.fuzz
+  369662293a.fuzz
 )
 
 set(CORPUS_DIR ${CMAKE_CURRENT_BINARY_DIR}/qpdf_corpus)
diff --git a/fuzz/qpdf_extra/369662293.fuzz b/fuzz/qpdf_extra/369662293.fuzz
new file mode 100644
index 0000000..dd5ab81
--- /dev/null
+++ b/fuzz/qpdf_extra/369662293.fuzz
diff --git a/fuzz/qpdf_extra/369662293a.fuzz b/fuzz/qpdf_extra/369662293a.fuzz
new file mode 100644
index 0000000..b26cb7a
--- /dev/null
+++ b/fuzz/qpdf_extra/369662293a.fuzz
diff --git a/fuzz/qpdf_extra/99999e.fuzz b/fuzz/qpdf_extra/99999e.fuzz
new file mode 100644
index 0000000..2ff35d2
--- /dev/null
+++ b/fuzz/qpdf_extra/99999e.fuzz
diff --git a/fuzz/qtest/fuzz.test b/fuzz/qtest/fuzz.test
index df5318c..6448d5f 100644
--- a/fuzz/qtest/fuzz.test
+++ b/fuzz/qtest/fuzz.test
@@ -11,7 +11,7 @@ my $td = new TestDriver('fuzz');
 
 my $qpdf_corpus = $ENV{'QPDF_FUZZ_CORPUS'} || die "must set QPDF_FUZZ_CORPUS";
 
-my $n_qpdf_files = 83;       # increment when adding new files
+my $n_qpdf_files = 86;       # increment when adding new files
 
 my @fuzzers = (
     ['ascii85' => 1],
diff --git a/libqpdf/QPDF.cc b/libqpdf/QPDF.cc
index 5a38ec9..12b23a8 100644
--- a/libqpdf/QPDF.cc
+++ b/libqpdf/QPDF.cc
@@ -1295,6 +1295,9 @@ QPDF::Xref_table::process_stream(qpdf_offset_t xref_offset, QPDFObjectHandle& xr
 
     if (!trailer_) {
         trailer_ = dict;
+        if (size > toS(max_id_)) {
+            throw damaged("Cross-reference stream /Size entry is impossibly large");
+        }
         table.resize(size);
     }
 
@@ -2061,6 +2064,7 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
             (m->file->getName() + " object stream " + std::to_string(obj_stream_number)),
             bp.get()));
 
+    qpdf_offset_t last_offset = -1;
     for (int i = 0; i < n; ++i) {
         QPDFTokenizer::Token tnum = readToken(*input);
         QPDFTokenizer::Token toffset = readToken(*input);
@@ -2086,6 +2090,15 @@ QPDF::resolveObjectsInStream(int obj_stream_number)
                 "object stream claims to contain itself"));
             continue;
         }
+        if (offset <= last_offset) {
+            throw damagedPDF(
+                *input,
+                m->last_object_description,
+                input->getLastOffset(),
+                "expected offsets in object stream to be increasing");
+        }
+        last_offset = offset;
+
         offsets[num] = toI(offset + first);
     }