Index: lib/StaticAnalyzer/Core/MemRegion.cpp
===================================================================
--- lib/StaticAnalyzer/Core/MemRegion.cpp
+++ lib/StaticAnalyzer/Core/MemRegion.cpp
@@ -23,6 +23,11 @@
 #include "clang/Basic/SourceManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/Debug.h"
+
+#include <limits>
+
+#define DEBUG_TYPE "MemRegion"
 
 using namespace clang;
 using namespace ento;
@@ -1176,6 +1181,15 @@
         }
 
         CharUnits size = C.getTypeSizeInChars(elemType);
+
+        // FIXME: proper overflow handling, for now we just report the limit
+        // as unknown.
+        auto Max = std::numeric_limits<CharUnits::QuantityType>::max();
+        if (i > (Max - offset.getQuantity()) / size.getQuantity()) {
+          DEBUG(llvm::dbgs() << "MemRegion::getAsArrayOffset: "
+              << "offset overflowing, returning unknown\n");
+          return nullptr;
+        }
         offset += (i * size);
       }
 
Index: test/Analysis/region-store.cpp
===================================================================
--- test/Analysis/region-store.cpp
+++ test/Analysis/region-store.cpp
@@ -25,4 +25,13 @@
   Builder->setLoc(l);
   return Builder->accessBase();
   
-}
\ No newline at end of file
+}
+
+int **h;
+int overflow_in_memregion(long j) {
+  for (int l = 0;; ++l) {
+    if (j - l > 0)
+      return h[j][j]; // no-crash
+  }
+  return 0;
+}