https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109446
--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> --- The problem here is that we normally preserve memcpy calls and then __interceptor_memcpy is used from the run-time library. However, in this case the second argument of memcpy is a known constant and we convert it to: MEM <unsigned char[64]> [(char * {ref-all})_7] = MEM <unsigned char[64]> [(char * {ref-all})&txt]; for such an assignment we only check the beginning and the end of the chunk and we miss the overflow.