From a45611ad67477772b65e62f2d266530611158d56 Mon Sep 17 00:00:00 2001
From: Jakob Botsch Nielsen <Jakob.botsch.nielsen@gmail.com>
Date: Mon, 3 Oct 2022 21:18:13 +0200
Subject: [PATCH] JIT: Ensure no overflow in ContainBlockStoreAddress (#76532)

The offset here can be a "base" address due to various JIT
transformations so we should ensure the range [offset, offset+size) does
not overflow.

Fix #76506
---
 src/coreclr/jit/lowerarmarch.cpp | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/coreclr/jit/lowerarmarch.cpp b/src/coreclr/jit/lowerarmarch.cpp
index 1eae6c6dbc0987..12023a99d77c1b 100644
--- a/src/coreclr/jit/lowerarmarch.cpp
+++ b/src/coreclr/jit/lowerarmarch.cpp
@@ -688,7 +688,12 @@ void Lowering::ContainBlockStoreAddress(GenTreeBlk* blkNode, unsigned size, GenT
     {
         return;
     }
-#endif // TARGET_ARM
+#else // !TARGET_ARM
+    if ((ClrSafeInt<int>(offset) + ClrSafeInt<int>(size)).IsOverflow())
+    {
+        return;
+    }
+#endif // !TARGET_ARM
 
     if (!IsSafeToContainMem(blkNode, addr))
     {