* search.c: Integer overflow fixes

(Freplace_match): Use ptrdiff_t, not int, for indexes that can
exceed INT_MAX.  Check that EMACS_INT value is in range before
assigning it to the (possibly-narrower) index.
(match_limit): Don't assume that a fixnum can fit in 'int'.

src/ChangeLog

@@ -1,5 +1,11 @@
 2011-09-04  Paul Eggert  <eggert@cs.ucla.edu>
 
+	* search.c: Integer overflow fixes
+	(Freplace_match): Use ptrdiff_t, not int, for indexes that can
+	exceed INT_MAX.  Check that EMACS_INT value is in range before
+	assigning it to the (possibly-narrower) index.
+	(match_limit): Don't assume that a fixnum can fit in 'int'.
+
 	* print.c: Integer overflow fix.
 	(print_object): Use ptrdiff_t, not int, for index that can
 	exceed INT_MAX.

src/search.c

@@ -2404,7 +2404,7 @@ since only regular expressions have distinguished subexpressions.  */)
   int some_uppercase;
   int some_nonuppercase_initial;
   register int c, prevc;
-  int sub;
+  ptrdiff_t sub;
   EMACS_INT opoint, newpoint;
 
   CHECK_STRING (newtext);
@@ -2423,9 +2423,9 @@ since only regular expressions have distinguished subexpressions.  */)
   else
     {
       CHECK_NUMBER (subexp);
-      sub = XINT (subexp);
-      if (sub < 0 || sub >= search_regs.num_regs)
+      if (! (0 <= XINT (subexp) && XINT (subexp) < search_regs.num_regs))
 	args_out_of_range (subexp, make_number (search_regs.num_regs));
+      sub = XINT (subexp);
     }
 
   if (NILP (string))
@@ -2662,7 +2662,7 @@ since only regular expressions have distinguished subexpressions.  */)
 	  unsigned char str[MAX_MULTIBYTE_LENGTH];
 	  const unsigned char *add_stuff = NULL;
 	  ptrdiff_t add_len = 0;
-	  int idx = -1;
+	  ptrdiff_t idx = -1;
 
 	  if (str_multibyte)
 	    {
@@ -2813,7 +2813,7 @@ since only regular expressions have distinguished subexpressions.  */)
 static Lisp_Object
 match_limit (Lisp_Object num, int beginningp)
 {
-  register int n;
+  EMACS_INT n;
 
   CHECK_NUMBER (num);
   n = XINT (num);