diff --git a/llvm/lib/Transforms/Utils/SimplifyLibCalls.cpp b/llvm/lib/Transforms/Utils/SimplifyLibCalls.cpp
--- a/llvm/lib/Transforms/Utils/SimplifyLibCalls.cpp
+++ b/llvm/lib/Transforms/Utils/SimplifyLibCalls.cpp
@@ -891,6 +891,18 @@
     }
   }
 
+  StringRef Str;
+  if (!getConstantStringInfo(SrcStr, Str, 0, /*TrimAtNul=*/false))
+    return nullptr;
+
+  uint64_t EndOff = UINT64_MAX;
+  if (LenC) {
+    EndOff = LenC->getZExtValue();
+    if (Str.size() < EndOff)
+      // Fold out-of-bounds accesses to null.
+      return Constant::getNullValue(CI->getType());
+  }
+
   return nullptr;
 }
 
diff --git a/llvm/test/Transforms/InstCombine/memrchr-2.ll b/llvm/test/Transforms/InstCombine/memrchr-2.ll
--- a/llvm/test/Transforms/InstCombine/memrchr-2.ll
+++ b/llvm/test/Transforms/InstCombine/memrchr-2.ll
@@ -15,8 +15,8 @@
 
 define i8* @fold_memrchr_a12345_1_ui32max_p1(i32 %0) {
 ; CHECK-LABEL: @fold_memrchr_a12345_1_ui32max_p1(
-; CHECK-NEXT:    [[RET:%.*]] = call i8* @memrchr(i8* noundef nonnull dereferenceable(4294967296) getelementptr inbounds ([5 x i8], [5 x i8]* @a12345, i64 0, i64 0), i32 [[TMP0:%.*]], i64 4294967296)
-; CHECK-NEXT:    ret i8* [[RET]]
+; CHECK-NEXT:    ret i8* null
+;
 
   %ptr = getelementptr [5 x i8], [5 x i8]* @a12345, i64 0, i64 0
   %ret = call i8* @memrchr(i8* %ptr, i32 %0, i64 4294967296)
@@ -30,6 +30,7 @@
 ; CHECK-LABEL: @fold_memrchr_ax1_1_ui32max_p2(
 ; CHECK-NEXT:    [[RET:%.*]] = call i8* @memrchr(i8* noundef nonnull dereferenceable(4294967297) getelementptr inbounds ([1 x i8], [1 x i8]* @ax1, i64 0, i64 0), i32 [[TMP0:%.*]], i64 4294967297)
 ; CHECK-NEXT:    ret i8* [[RET]]
+;
 
   %ptr = getelementptr [1 x i8], [1 x i8]* @ax1, i64 0, i64 0
   %ret = call i8* @memrchr(i8* %ptr, i32 %0, i64 4294967297)
@@ -41,8 +42,7 @@
 
 define i8* @fold_memrchr_ax_1_ui32max_p2(i32 %0) {
 ; CHECK-LABEL: @fold_memrchr_ax_1_ui32max_p2(
-; CHECK-NEXT:    [[RET:%.*]] = call i8* @memrchr(i8* noundef nonnull dereferenceable(4294967297) getelementptr inbounds ([5 x i8], [5 x i8]* @a12345, i64 0, i64 0), i32 [[TMP0:%.*]], i64 4294967297)
-; CHECK-NEXT:    ret i8* [[RET]]
+; CHECK-NEXT:    ret i8* null
 ;
 
   %ptr = getelementptr [5 x i8], [5 x i8]* @a12345, i64 0, i64 0
@@ -55,8 +55,8 @@
 
 define i8* @fold_memrchr_a12345_c_6(i32 %0) {
 ; CHECK-LABEL: @fold_memrchr_a12345_c_6(
-; CHECK-NEXT:    [[RET:%.*]] = call i8* @memrchr(i8* noundef nonnull dereferenceable(6) getelementptr inbounds ([5 x i8], [5 x i8]* @a12345, i64 0, i64 0), i32 [[TMP0:%.*]], i64 6)
-; CHECK-NEXT:    ret i8* [[RET]]
+; CHECK-NEXT:    ret i8* null
+;
 
   %ptr = getelementptr [5 x i8], [5 x i8]* @a12345, i64 0, i64 0
   %ret = call i8* @memrchr(i8* %ptr, i32 %0, i64 6)
@@ -68,8 +68,8 @@
 
 define i8* @fold_memrchr_a12345_c_szmax(i32 %0) {
 ; CHECK-LABEL: @fold_memrchr_a12345_c_szmax(
-; CHECK-NEXT:    [[RET:%.*]] = call i8* @memrchr(i8* noundef nonnull dereferenceable(18446744073709551615) getelementptr inbounds ([5 x i8], [5 x i8]* @a12345, i64 0, i64 0), i32 [[TMP0:%.*]], i64 -1)
-; CHECK-NEXT:    ret i8* [[RET]]
+; CHECK-NEXT:    ret i8* null
+;
 
   %ptr = getelementptr [5 x i8], [5 x i8]* @a12345, i64 0, i64 0
   %ret = call i8* @memrchr(i8* %ptr, i32 %0, i64 18446744073709551615)