diff --git a/src/modules/surjection/tests_impl.h b/src/modules/surjection/tests_impl.h
index cb00fefc..f7b6d34d 100644
--- a/src/modules/surjection/tests_impl.h
+++ b/src/modules/surjection/tests_impl.h
@@ -603,6 +603,8 @@ void test_fixed_vectors(void) {
     };
     const size_t total5_used5_len = sizeof(total5_used5);
 
+    unsigned char bad[sizeof(total5_used5) + 32] = { 0 };
+
     secp256k1_generator input_tags[5];
     secp256k1_generator output_tag;
     secp256k1_surjectionproof proof;
@@ -636,6 +638,24 @@ void test_fixed_vectors(void) {
     CHECK(secp256k1_surjectionproof_parse(ctx, &proof, total1_used1, total1_used1_len));
     CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, &input_tags[1], 1, &output_tag));
     CHECK(!secp256k1_surjectionproof_verify(ctx, &proof, input_tags, 1, &input_tags[0]));
+
+    /* Try setting 6 bits on the total5-used-5; check that parsing fails */
+    memcpy(bad, total5_used5, total5_used5_len);
+    bad[2] = 0x3f;  /* 0x1f -> 0x3f */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len));
+    /* Correct for the length */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len + 32)); /* FIXME */
+    /* Alternately just turn off one of the "legit" bits */
+    bad[2] = 0x37;  /* 0x1f -> 0x37 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used5_len)); /* FIXME */
+
+    /* Similarly try setting 4 bits on the total5-used-3, with one bit out of range */
+    memcpy(bad, total5_used3, total5_used3_len);
+    bad[2] = 0x35;  /* 0x15 -> 0x35 */
+    CHECK(!secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len));
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len + 32)); /* FIXME */
+    bad[2] = 0x34;  /* 0x15 -> 0x34 */
+    CHECK(secp256k1_surjectionproof_parse(ctx, &proof, bad, total5_used3_len)); /* FIXME */
 }
 
 void run_surjection_tests(void) {