Index: lib/StaticAnalyzer/Core/MemRegion.cpp
===================================================================
--- lib/StaticAnalyzer/Core/MemRegion.cpp
+++ lib/StaticAnalyzer/Core/MemRegion.cpp
@@ -23,6 +23,9 @@
 #include "clang/Basic/SourceManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
 #include "llvm/Support/raw_ostream.h"
+#include "llvm/Support/Debug.h"
+
+#include <limits>
 
 using namespace clang;
 using namespace ento;
@@ -1176,6 +1179,17 @@
         }
 
         CharUnits size = C.getTypeSizeInChars(elemType);
+
+        // FIXME: proper overflow handling, for now we just report the limit
+        // as unknown.
+        // Ideally the code creating the constraint should now that it has to
+        // be within the bounds of the type used for storing pointers.
+        auto Max = std::numeric_limits<CharUnits::QuantityType>::max();
+        auto Min = std::numeric_limits<CharUnits::QuantityType>::min();
+        if (i > (Max - offset.getQuantity()) / size.getQuantity() ||
+            i < (Min - offset.getQuantity()) / size.getQuantity())
+          return nullptr;
+
         offset += (i * size);
       }
 
Index: test/Analysis/region-store.cpp
===================================================================
--- test/Analysis/region-store.cpp
+++ test/Analysis/region-store.cpp
@@ -25,4 +25,13 @@
   Builder->setLoc(l);
   return Builder->accessBase();
   
-}
\ No newline at end of file
+}
+
+int **h;
+int overflow_in_memregion(long j) {
+  for (int l = 0;; ++l) {
+    if (j - l > 0)
+      return h[j][j]; // no-crash
+  }
+  return 0;
+}