upstream

63 files changed, 1803 insertions, 1089 deletions

diff --git a/src/ChangeLog b/src/ChangeLog
index 431a515def5..7eb18593993 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,466 @@
+2011-08-27  Paul Eggert  <eggert@cs.ucla.edu>
+
+        * ccl.c: Improve and simplify overflow checking (Bug#9196).
+        (ccl_driver): Do not generate an out-of-range pointer.
+        (Fccl_execute_on_string): Remove unnecessary check for
+        integer overflow, noted by Stefan Monnier in
+        <http://lists.gnu.org/archive/html/emacs-devel/2011-08/msg00979.html>.
+        Remove a FIXME that didn't need fixing.
+        Simplify the newly-introduced buffer reallocation code.
+
+2011-08-27  Juanma Barranquero  <lekktu@gmail.com>
+
+        * makefile.w32-in ($(BLD)/alloc.$(O)): Depend on lib/verify.h.
+
+2011-08-26  Paul Eggert  <eggert@cs.ucla.edu>
+
+        Integer and memory overflow issues (Bug#9196).
+
+        * doc.c (get_doc_string): Rework so that
+        get_doc_string_buffer_size is the actual buffer size, rather than
+        being 1 less than the actual buffer size; this makes xpalloc more
+        convenient.
+
+        * image.c (x_allocate_bitmap_record, cache_image):
+        * xselect.c (Fx_register_dnd_atom):
+        Simplify previous changes by using xpalloc.
+
+        * buffer.c (overlay_str_len): Now ptrdiff_t, not EMACS_INT,
+        since either will do and ptrdiff_t is convenient with xpalloc.
+
+        * charset.c (charset_table_size)
+        (struct charset_sort_data.priority): Now ptrdiff_t.
+        (charset_compare): Don't overflow if priorities differ greatly.
+        (Fsort_charsets): Don't assume list length fits in int.
+        Check for size-calculation overflow when allocating sort data.
+        (syms_of_charset): Allocate an initial charset table that is
+        just under 64 KiB, to avoid problems with glibc malloc and mmap.
+
+        * cmds.c (internal_self_insert): Check for size-calculation overflow.
+
+        * composite.h (struct composition.glyph_len): Now int, not unsigned.
+        The actual value is always <= INT_MAX, and leaving it unsigned made
+        overflow checking harder.
+
+        * dispextern.h (struct glyph_matrix.rows_allocated)
+        (struct face_cache.size): Now ptrdiff_t, for convenience in use
+        with xpalloc.  The values are still always <= INT_MAX.
+
+        * indent.c (compute_motion): Adjust to region_cache_forward sig change.
+
+        * lisp.h (xnmalloc, xnrealloc, xpalloc): New decls.
+        (SAFE_NALLOCA): New macro.
+
+        * region-cache.c (struct boundary.pos, find_cache_boundary)
+        (move_cache_gap, insert_cache_boundary, delete_cache_boundaries)
+        (set_cache_region, invalidate_region_cache)
+        (revalidate_region_cache, know_region_cache, region_cache_forward)
+        (region_cache_backward, pp_cache):
+        Use ptrdiff_t, not EMACS_INT, since either will do.  This is needed
+        so that ptrdiff_t * can be passed to xpalloc.
+        (struct region_cache): Similarly, for gap_start, gap_len, cache_len,
+        beg_unchanged, end_unchanged, buffer_beg, buffer_end members.
+        (pp_cache): Don't assume cache_len fits in int.
+        * region-cache.h: Adjust extern decls to match.
+
+        * search.c (scan_buffer, Freplace_match): Use ptrdiff_t, not
+        EMACS_INT, since either will do, for xpalloc.
+
+        * alloc.c: Include verify.h, and check that int fits in ptrdiff_t.
+        (xnmalloc, xnrealloc, xpalloc): New functions.
+
+        * bidi.c (bidi_shelve_header_size): New constant.
+        (bidi_cache_ensure_space, bidi_shelve_cache): Use it.
+        (bidi_cache_ensure_space): Avoid integer overflow when allocating.
+
+        * bidi.c (bidi_cache_shrink):
+        * buffer.c (overlays_at, overlays_in, record_overlay_string)
+        (overlay_strings):
+        Don't update size of array until after memory allocation succeeds,
+        because xmalloc/xrealloc may not return.
+        (struct sortstrlist.bytes): Now ptrdiff_t, as EMACS_INT doesn't help
+        now that we have proper integer overflow checking.
+        (record_overlay_string, overlay_strings): Catch overflows when
+        calculating size of overlay_str_buf.
+
+        * callproc.c (Fcall_process): Check for size overflow when
+        calculating size of args2.
+        (child_setup): Avoid overflow by using size_t rather than ptrdiff_t.
+        Normally we prefer signed values, but sticking with ptrdiff_t would
+        require adding more-complicated checks.
+
+        * ccl.c (Fccl_execute_on_string): Check for memory overflow.
+        Use ptrdiff_t rather than EMACS_INT where ptrdiff_t will do.
+        Redo buffer-overflow calculations to avoid integer overflow.
+        Add a FIXME comment where memory seems to be over-allocated.
+
+        * character.c (Fstring): Check for size-calculation overflow.
+
+        * coding.c (produce_chars): Redo buffer-overflow calculations to avoid
+        unnecessary integer overflow.  Check for size overflow.
+        (encode_coding_object): Don't update size until xmalloc succeeds.
+
+        * composite.c (get_composition_id): Check for overflow in glyph
+        length calculations.
+
+        Integer and memory overflow fixes for display code.
+        * dispextern.h (struct glyph_pool.nglyphs): Now ptrdiff_t, not int.
+        * dispnew.c (adjust_glyph_matrix, realloc_glyph_pool)
+        (scrolling_window): Check for overflow in size calculations.
+        (line_draw_cost, realloc_glyph_pool, add_row_entry):
+        Don't assume glyph table len fits in int.
+        (struct row_entry.bucket, row_entry_pool_size, row_entry_idx)
+        (row_table_size): Now ptrdiff_t, not int.
+        (scrolling_window): Avoid overflow in size calculations.
+        Don't update size until allocation succeeds.
+        * fns.c (concat): Check for overflow in size calculations.
+        (next_almost_prime): Verify NEXT_ALMOST_PRIME_LIMIT.
+        * lisp.h (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
+        (NEXT_ALMOST_PRIME_LIMIT): New constant.
+
+        * doc.c (get_doc_string_buffer_size): Now ptrdiff_t, not int.
+        (get_doc_string): Check for size calculation overflow.
+        Don't update size until allocation succeeds.
+        (get_doc_string, Fsubstitute_command_keys): Use ptrdiff_t, not
+        EMACS_INT, where ptrdiff_t will do.
+        (Fsubstitute_command_keys): Check for string overflow.
+
+        * editfns.c (set_time_zone_rule): Don't assume environment length
+        fits in int.
+        (message_length): Now ptrdiff_t, not int.
+        (Fmessage_box): Don't update size until allocation succeeds.
+        Don't assume message length fits in int.
+        (Fformat): Use ptrdiff_t, not EMACS_INT, where ptrdiff_t will do.
+
+        * emacs.c (main): Do not reallocate argv, since there is a null at
+        the end that can be overwritten, and this way there's no need to
+        worry about size-calculation overflow.
+        (sort_args): Check for size-calculation overflow.
+
+        * eval.c (init_eval_once, grow_specpdl): Don't update size until
+        alloc succeeds.
+        (call_debugger, grow_specpdl): Redo calculations to avoid overflow.
+
+        * frame.c (set_menu_bar_lines, x_set_frame_parameters)
+        (x_set_scroll_bar_width, x_figure_window_size):
+        Check for integer overflow.
+        (x_set_alpha): Do not assume XINT fits in int.
+
+        * frame.h (struct frame): Use int, not EMACS_INT, where int works.
+        This is for the members text_lines, text_cols, total_lines, total_cols,
+        where the system imposes an 'int' limit.
+
+        * fringe.c (Fdefine_fringe_bitmap):
+        Don't update size until alloc works.
+
+        * ftfont.c (ftfont_get_open_type_spec, setup_otf_gstring)
+        (ftfont_shape_by_flt): Check for integer overflow in size calculations.
+
+        * gtkutil.c (get_utf8_string, xg_store_widget_in_map):
+        Check for size-calculation overflow.
+        (get_utf8_string): Use ptrdiff_t, not size_t, where either will
+        do, as we prefer signed integers.
+        (id_to_widget.max_size, id_to_widget.used)
+        (xg_store_widget_in_map, xg_remove_widget_from_map)
+        (xg_get_widget_from_map, xg_get_scroll_id_for_window)
+        (xg_remove_scroll_bar, xg_update_scrollbar_pos):
+        Use and return ptrdiff_t, not int.
+        (xg_gtk_scroll_destroy): Don't assume ptrdiff_t fits in int.
+        * gtkutil.h: Change prototypes to match the above.
+
+        * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): Remove; these
+        are duplicate now that they've been promoted to lisp.h.
+        (x_allocate_bitmap_record, x_alloc_image_color)
+        (make_image_cache, cache_image, xpm_load):
+        Don't update size until alloc is done.
+        (xpm_load, lookup_rgb_color, lookup_pixel_color, x_to_xcolors)
+        (x_detect_edges):
+        Check for size calculation overflow.
+        (ct_colors_allocated_max): New constant.
+        (x_to_xcolors, x_detect_edges): Reorder multiplicands to avoid
+        overflow.
+
+        * keyboard.c (read_char, menu_bar_items, tool_bar_items)
+        (read_char_x_menu_prompt, read_char_minibuf_menu_width)
+        (read_char_minibuf_menu_prompt, follow_key, read_key_sequence):
+        Use ptrdiff_t, not int, to count maps.
+        (read_char_minibuf_menu_prompt): Check for overflow in size
+        calculations.  Don't update size until allocation succeeds.  Redo
+        calculations to avoid overflow.
+        * keyboard.h: Change prototypes to match the above.
+
+        * keymap.c (cmm_size, current_minor_maps): Use ptrdiff_t, not int,
+        to count maps.
+        (current_minor_maps): Check for size calculation overflow.
+        * keymap.h: Change prototypes to match the above.
+
+        * lread.c (read1, init_obarray): Don't update size until alloc done.
+
+        * macros.c (Fstart_kbd_macro): Don't update size until alloc done.
+        (store_kbd_macro_char): Reorder multiplicands to avoid overflow.
+
+        * nsterm.h (struct ns_color_table.size, struct ns_color_table.avail):
+        Now ptrdiff_t, not int.
+        * nsterm.m (ns_index_color): Use ptrdiff_t, not int, for table indexes.
+        (ns_draw_fringe_bitmap): Rewrite to avoid overflow.
+
+        * process.c (Fnetwork_interface_list): Check for overflow
+        in size calculation.
+
+        * region-cache.c (move_cache_gap): Check for size calculation overflow.
+
+        * scroll.c (do_line_insertion_deletion_costs): Check for size calc
+        overflow.  Don't bother calling xmalloc when xrealloc will do.
+
+        * search.c (Freplace_match): Check for size calculation overflow.
+        (Fset_match_data): Don't assume list lengths fit in 'int'.
+
+        * sysdep.c (system_process_attributes): Use ptrdiff_t, not int,
+        for command line length.  Do not attempt to address one before the
+        beginning of an array, as that's not portable.
+
+        * term.c (max_frame_lines): Remove; unused.
+        (encode_terminal_src_size, encode_terminal_dst_size): Now ptrdiff_t,
+        not int.
+        (encode_terminal_code, calculate_costs): Check for size
+        calculation overflow.
+        (encode_terminal_code): Use ptrdiff_t, not int, to record glyph
+        table lengths and related sizes.  Don't update size until alloc
+        done.  Redo calculations to avoid overflow.
+        (calculate_costs): Don't bother calling xmalloc when xrealloc will do.
+
+        * termcap.c (tgetent): Use ptrdiff_t, not int, to record results of
+        subtracting pointers.
+        (gobble_line): Check for overflow more carefully.  Don't update size
+        until alloc done.
+
+        * tparam.c (tparam1): Use ptrdiff_t, not int, for sizes.
+        Don't update size until alloc done.
+        Redo size calculations to avoid overflow.
+        Check for size calculation overflow.
+        (main) [DEBUG]: Fix typo in invoking tparam1.
+
+        * xdisp.c (store_mode_line_noprop_char, x_consider_frame_title):
+        Use ptrdiff_t, not int, for sizes.
+        (store_mode_line_noprop_char): Don't update size until alloc done.
+
+        * xfaces.c (lface_id_to_name_size, Finternal_make_lisp_face):
+        Use ptrdiff_t, not int, for sizes.
+        (Finternal_make_lisp_face, cache_face):
+        Check for size calculation overflow.
+        (cache_face): Treat size calculation overflows as if they were
+        memory exhaustion (the usual treatment), rather than aborting.
+
+        * xfns.c (x_encode_text, x_set_name_internal)
+        (Fx_change_window_property): Use ptrdiff_t, not int, to count
+        sizes, since they can exceed INT_MAX in size.  Check for size
+        calculation overflow.
+
+        * xgselect.c (gfds_size): Now ptrdiff_t, for convenience with xpalloc.
+        (xg_select): Check for size calculation overflow.
+        Don't update size until alloc done.
+
+        * xrdb.c (get_environ_db): Don't assume path length fits in int,
+        as sprintf is limited to int lengths.
+
+        * xselect.c (X_LONG_SIZE, X_SHRT_MAX, X_SHRT_MIN, X_LONG_MAX)
+        (X_LONG_MIN): New macros.
+        Use them to make the following changes clearer.
+        (MAX_SELECTION_QUANTUM): Make the other bounds on this value clearer.
+        This change doesn't affect the value now, but it may help remind
+        future maintainers not to raise the value too much later.
+        (SELECTION_QUANTUM): Remove, replacing with ...
+        (selection_quantum): ... new function, which avoids overflow.
+        All uses changed.
+        (struct selection_data.size): Now ptrdiff_t, not int, to avoid
+        assumption that selection length fits in 'int'.
+        (x_reply_selection_request, x_handle_selection_request)
+        (x_get_window_property, receive_incremental_selection)
+        (x_get_window_property_as_lisp_data, selection_data_to_lisp_data)
+        (lisp_data_to_selection_data, clean_local_selection_data):
+        Use ptrdiff_t, not int, to record length of selection.
+        (x_reply_selection_request, x_get_window_property)
+        (receive_incremental_selection, x_property_data_to_lisp):
+        Redo calculations to avoid overflow.
+        (x_reply_selection_request): When sending hint, ceiling it at
+        X_LONG_MAX rather than relying on wraparound overflow to send
+        something.
+        (x_get_window_property, receive_incremental_selection)
+        (lisp_data_to_selection_data, x_property_data_to_lisp):
+        Check for size-calculation overflow.
+        (x_get_window_property, receive_incremental_selection)
+        (lisp_data_to_selection_data, Fx_register_dnd_atom):
+        Don't store size until memory allocation succeeds.
+        (x_get_window_property): Plug memory leak on memory exhaustion.
+        Don't double-block input; malloc is safe here.  Don't assume 2**34
+        - 4 fits in unsigned long.  Add an xassert to check
+        XGetWindowProperty overflow.  Be more careful about overflow
+        calculations, and distinguish size from memory overflow better.
+        (receive_incremental_selection): When tracing, don't assume
+        unsigned int is less than INT_MAX.
+        (x_selection_data_to_lisp_data): Remove unnecessary (and in theory
+        harmful) conversions of unsigned short to int.
+        (lisp_data_to_selection_data): Don't assume that integers
+        in the range -65535 through -1 fit in an X unsigned short.
+        Don't assume that ULONG_MAX == X_ULONG_MAX.  Don't store into
+        result parameters unless successful.  Rely on cons_to_unsigned
+        to report problems with elements; the old code wasn't right anyway.
+        (x_check_property_data): Check for int overflow; we cannot use
+        a wider type due to X limits.
+        (x_handle_dnd_message): Use unsigned int, to avoid int overflow.
+
+        * xsmfns.c (smc_save_yourself_CB): Check for size calc overflow.
+
+        * xterm.c (x_color_cells, x_send_scrollbar_event, handle_one_xevent)
+        (x_term_init): Check for size calculation overflow.
+        (x_color_cells): Don't store size until memory allocation succeeds.
+        (handle_one_xevent): Use ptrdiff_t, not int, for byte counts.
+        Don't assume alloca size is less than MAX_ALLOCA.
+        (x_term_init): Don't assume length fits in int (sprintf is limited
+        to int size).
+
+        Use ptrdiff_t for composition IDs.
+        * character.c (lisp_string_width):
+        * composite.c (composition_table_size, n_compositions)
+        (get_composition_id, composition_gstring_from_id):
+        * dispextern.h (struct glyph_string.cmp_id, struct composition_it.id):
+        * xdisp.c (BUILD_COMPOSITE_GLYPH_STRING):
+        * window.c (Frecenter):
+        Use ptrdiff_t, not int, for composition IDs.
+        * composite.c (get_composition_id): Check for integer overflow.
+        * composite.h: Adjust prototypes to match the above changes.
+
+        Use ptrdiff_t for hash table indexes.
+        * category.c (hash_get_category_set):
+        * ccl.c (ccl_driver):
+        * charset.h (struct charset.hash_index, CHECK_CHARSET_GET_ID):
+        * coding.c (coding_system_charset_list, detect_coding_system):
+        * coding.h (struct coding_system.id):
+        * composite.c (get_composition_id, gstring_lookup_cache):
+        * fns.c (hash_lookup, hash_put, Fgethash, Fputhash):
+        * image.c (xpm_get_color_table_h):
+        * lisp.h (hash_lookup, hash_put):
+        * minibuf.c (Ftest_completion):
+        Use ptrdiff_t for hash table indexes, not int (which is too
+        narrow, on 64-bit hosts) or EMACS_INT (which is too wide, on
+        32-bit --with-wide-int hosts).
+
+        * charset.c (Fdefine_charset_internal): Check for integer overflow.
+        Add a FIXME comment about memory leaks.
+        (syms_of_charset): Don't assume xmalloc returns.
+
+        Don't assume that stated character widths fit in int.
+        * character.c (Fchar_width, c_string_width, lisp_string_width):
+        * character.h (CHAR_WIDTH):
+        * indent.c (MULTIBYTE_BYTES_WIDTH):
+        Use sanitize_char_width to avoid undefined and/or bad behavior
+        with outlandish widths.
+        * character.h (sanitize_tab_width): Renamed from sanitize_width,
+        now that we have two such functions.  All uses changed.
+        (sanitize_char_width): New inline function.
+
+        Don't assume that tab-width fits in int.
+        * character.h (sanitize_width): New inline function.
+        (SANE_TAB_WIDTH): New macro.
+        (ASCII_CHAR_WIDTH): Use it.
+        * indent.c (sane_tab_width): Remove.  All uses replaced by
+        SANE_TAB_WIDTH (current_buffer).
+        * xdisp.c (init_iterator): Use SANE_TAB_WIDTH.
+
+        * fileio.c: Integer overflow issues with file modes.
+        (Fset_file_modes, auto_save_1): Don't assume EMACS_INT fits in int.
+
+        * charset.c (read_hex): New arg OVERFLOW.  All uses changed.
+        Remove unreachable code.
+        (read_hex, load_charset_map_from_file): Check for integer overflow.
+
+        * xterm.c: don't go over XClientMessageEvent limit
+        (scroll_bar_windows_size): Now ptrdiff_t, as we prefer signed.
+        (x_send_scroll_bar_event): Likewise.  Check that the size does not
+        exceed limits imposed by XClientMessageEvent, as well as the usual
+        ptrdiff_t and size_t limits.
+
+        * keyboard.c: Overflow, signedness and related fixes.
+        (make_lispy_movement): Use same integer type in forward decl
+        that is used in the definition.
+        (read_key_sequence, keyremap_step):
+        Change bufsize argument back to int, undoing my 2011-03-30 change.
+        We prefer signed types, and int is wide enough here.
+        (parse_tool_bar_item): Don't assume tool_bar_max_label_size is less
+        than TYPE_MAXIMUM (EMACS_INT) / 2.  Don't let the label size grow
+        larger than STRING_BYTES_BOUND.  Use ptrdiff_t for Emacs string
+        length, not size_t.  Use ptrdiff_t for index, not int.
+        (keyremap_step, read_key_sequence): Redo bufsize check to avoid
+        possibility of integer overflow.
+
+        Overflow, signedness and related fixes for images.
+
+        * dispextern.h (struct it.stack[0].u.image.image_id)
+        (struct_it.image_id, struct image.id, struct image_cache.size)
+        (struct image_cache.used, struct image_cache.ref_count):
+        * gtkutil.c (update_frame_tool_bar):
+        * image.c (x_reference_bitmap, Fimage_size, Fimage_mask_p)
+        (Fimage_metadata, free_image_cache, clear_image_cache, lookup_image)
+        (cache_image, mark_image_cache, x_kill_gs_process, Flookup_image):
+        * nsmenu.m (update_frame_tool_bar):
+        * xdisp.c (calc_pixel_width_or_height):
+        * xfns.c (image_cache_refcount):
+        Image IDs are now ptrdiff_t, not int, to avoid arbitrary limits
+        on typical 64-bit hosts.
+
+        * image.c (RANGED_INTEGERP, TYPE_RANGED_INTEGERP): New macros.
+        (x_bitmap_pixmap, x_create_x_image_and_pixmap):
+        Omit unnecessary casts to int.
+        (parse_image_spec): Check that integers fall into 'int' range
+        when the callers expect that.
+        (image_ascent): Redo ascent calculation to avoid int overflow.
+        (clear_image_cache): Avoid overflow when sqrt (INT_MAX) < nimages.
+        (lookup_image): Remove unnecessary tests.
+        (xbm_image_p): Locals are now of int, not EMACS_INT,
+        since parse_image_check makes sure they fit into int.
+        (png_load, gif_load, svg_load_image):
+        Prefer int to unsigned where either will do.
+        (tiff_handler): New function, combining the cores of the
+        old tiff_error_handler and tiff_warning_handler.  This
+        function is rewritten to use vsnprintf and thereby avoid
+        stack buffer overflows.  It uses only the features of vsnprintf
+        that are common to both POSIX and native Microsoft.
+        (tiff_error_handler, tiff_warning_handler): Use it.
+        (tiff_load, gif_load, imagemagick_load_image):
+        Don't assume :index value fits in 'int'.
+        (gif_load): Omit unnecessary cast to double, and avoid double-rounding.
+        (imagemagick_load_image): Check that crop parameters fit into
+        the integer types that MagickCropImage accepts.  Don't assume
+        Vimagemagick_render_type has a nonnegative value.  Don't assume
+        size_t fits in 'long'.
+        (gs_load): Use printmax_t to print the widest integers possible.
+        Check for integer overflow when computing image height and width.
+
+2011-08-26  Eli Zaretskii  <eliz@gnu.org>
+
+        * xdisp.c (redisplay_window): Don't force window start if point
+        will be invisible in the resulting window.  (Bug#9324)
+
+2011-08-25  Eli Zaretskii  <eliz@gnu.org>
+
+        * xdisp.c (compute_display_string_pos): Return 2 in DISP_PROP when
+        the display spec is of the form `(space ...)'.
+        (handle_display_spec): Return the value returned by
+        handle_single_display_spec, not just 1 or zero.
+        (handle_single_display_spec): If the display spec is of the form
+        `(space ...)', and specifies display in the text area, return 2
+        rather than 1.
+        (try_cursor_movement): Check for the need to scroll more
+        accurately, and prefer exact match for point under bidi.  Don't
+        advance `row' beyond the last row of the window.
+
+        * dispextern.h (struct bidi_it): Rename the disp_prop_p member
+        into disp_prop; all users changed.
+
+        * bidi.c (bidi_fetch_char): If compute_display_string_pos returns
+        DISP_PROP = 2, substitute the u+2029 PARAGRAPH SEPARATOR character
+        for the text covered by the display property.
+
 2011-08-25  Chong Yidong  <cyd@stupidchicken.com>
 
         * buffer.c (Fbury_buffer_internal): Rename from Funrecord_buffer.
diff --git a/src/alloc.c b/src/alloc.c
index 36ad645612d..2d256800466 100644
--- a/src/alloc.c
+++ b/src/alloc.c
@@ -46,6 +46,7 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 #include "syssignal.h"
 #include "termhooks.h"          /* For struct terminal.  */
 #include <setjmp.h>
+#include <verify.h>
 
 /* GC_MALLOC_CHECK defined means perform validity checks of malloc'd
    memory.  Can do this only if using gmalloc.c.  */
@@ -733,6 +734,93 @@ xfree (POINTER_TYPE *block)
 }
 
 
+/* Other parts of Emacs pass large int values to allocator functions
+   expecting ptrdiff_t.  This is portable in practice, but check it to
+   be safe.  */
+verify (INT_MAX <= PTRDIFF_MAX);
+
+
+/* Allocate an array of NITEMS items, each of size ITEM_SIZE.
+   Signal an error on memory exhaustion, and block interrupt input.  */
+
+void *
+xnmalloc (ptrdiff_t nitems, ptrdiff_t item_size)
+{
+  xassert (0 <= nitems && 0 < item_size);
+  if (min (PTRDIFF_MAX, SIZE_MAX) / item_size < nitems)
+    memory_full (SIZE_MAX);
+  return xmalloc (nitems * item_size);
+}
+
+
+/* Reallocate an array PA to make it of NITEMS items, each of size ITEM_SIZE.
+   Signal an error on memory exhaustion, and block interrupt input.  */
+
+void *
+xnrealloc (void *pa, ptrdiff_t nitems, ptrdiff_t item_size)
+{
+  xassert (0 <= nitems && 0 < item_size);
+  if (min (PTRDIFF_MAX, SIZE_MAX) / item_size < nitems)
+    memory_full (SIZE_MAX);
+  return xrealloc (pa, nitems * item_size);
+}
+
+
+/* Grow PA, which points to an array of *NITEMS items, and return the
+   location of the reallocated array, updating *NITEMS to reflect its
+   new size.  The new array will contain at least NITEMS_INCR_MIN more
+   items, but will not contain more than NITEMS_MAX items total.
+   ITEM_SIZE is the size of each item, in bytes.
+
+   ITEM_SIZE and NITEMS_INCR_MIN must be positive.  *NITEMS must be
+   nonnegative.  If NITEMS_MAX is -1, it is treated as if it were
+   infinity.
+
+   If PA is null, then allocate a new array instead of reallocating
+   the old one.  Thus, to grow an array A without saving its old
+   contents, invoke xfree (A) immediately followed by xgrowalloc (0,
+   &NITEMS, ...).
+
+   Block interrupt input as needed.  If memory exhaustion occurs, set
+   *NITEMS to zero if PA is null, and signal an error (i.e., do not
+   return).  */
+
+void *
+xpalloc (void *pa, ptrdiff_t *nitems, ptrdiff_t nitems_incr_min,
+         ptrdiff_t nitems_max, ptrdiff_t item_size)
+{
+  /* The approximate size to use for initial small allocation
+     requests.  This is the largest "small" request for the GNU C
+     library malloc.  */
+  enum { DEFAULT_MXFAST = 64 * sizeof (size_t) / 4 };
+
+  /* If the array is tiny, grow it to about (but no greater than)
+     DEFAULT_MXFAST bytes.  Otherwise, grow it by about 50%.  */
+  ptrdiff_t n = *nitems;
+  ptrdiff_t tiny_max = DEFAULT_MXFAST / item_size - n;
+  ptrdiff_t half_again = n >> 1;
+  ptrdiff_t incr_estimate = max (tiny_max, half_again);
+
+  /* Adjust the increment according to three constraints: NITEMS_INCR_MIN,
+     NITEMS_MAX, and what the C language can represent safely.  */
+  ptrdiff_t C_language_max = min (PTRDIFF_MAX, SIZE_MAX) / item_size;
+  ptrdiff_t n_max = (0 <= nitems_max && nitems_max < C_language_max
+                     ? nitems_max : C_language_max);
+  ptrdiff_t nitems_incr_max = n_max - n;
+  ptrdiff_t incr = max (nitems_incr_min, min (incr_estimate, nitems_incr_max));
+
+  xassert (0 < item_size && 0 < nitems_incr_min && 0 <= n && -1 <= nitems_max);
+  if (! pa)
+    *nitems = 0;
+  if (nitems_incr_max < incr)
+    memory_full (SIZE_MAX);
+  n += incr;
+  pa = xrealloc (pa, n * item_size);
+  *nitems = n;
+  return pa;
+}
+
+
 /* Like strdup, but uses xmalloc.  */
 
 char *
diff --git a/src/bidi.c b/src/bidi.c
index 425a0be9578..bb29647ea88 100644
--- a/src/bidi.c
+++ b/src/bidi.c
@@ -316,6 +316,21 @@ static ptrdiff_t bidi_cache_last_idx;	/* slot of last cache hit */
 static ptrdiff_t bidi_cache_start = 0;  /* start of cache for this
                                            "stack" level */
 
+/* 5-slot stack for saving the start of the previous level of the
+   cache.  xdisp.c maintains a 5-slot stack for its iterator state,
+   and we need the same size of our stack.  */
+static ptrdiff_t bidi_cache_start_stack[IT_STACK_SIZE];
+static int bidi_cache_sp;
+
+/* Size of header used by bidi_shelve_cache.  */
+enum
+  {
+    bidi_shelve_header_size =
+      (sizeof (bidi_cache_idx) + sizeof (bidi_cache_start_stack)
+       + sizeof (bidi_cache_sp) + sizeof (bidi_cache_start)
+       + sizeof (bidi_cache_last_idx))
+  };
+
 /* Reset the cache state to the empty state.  We only reset the part
    of the cache relevant to iteration of the current object.  Previous
    objects, which are pushed on the display iterator's stack, are left
@@ -338,9 +353,9 @@ bidi_cache_shrink (void)
 {
   if (bidi_cache_size > BIDI_CACHE_CHUNK)
     {
-      bidi_cache_size = BIDI_CACHE_CHUNK;
       bidi_cache =
-        (struct bidi_it *) xrealloc (bidi_cache, bidi_cache_size * elsz);
+        (struct bidi_it *) xrealloc (bidi_cache, BIDI_CACHE_CHUNK * elsz);
+      bidi_cache_size = BIDI_CACHE_CHUNK;
     }
   bidi_cache_reset ();
 }
@@ -473,21 +488,19 @@ bidi_cache_ensure_space (ptrdiff_t idx)
   /* Enlarge the cache as needed.  */
   if (idx >= bidi_cache_size)
     {
-      ptrdiff_t new_size;
-
       /* The bidi cache cannot be larger than the largest Lisp string
          or buffer.  */
       ptrdiff_t string_or_buffer_bound =
         max (BUF_BYTES_MAX, STRING_BYTES_BOUND);
 
       /* Also, it cannot be larger than what C can represent.  */
-      ptrdiff_t c_bound = min (PTRDIFF_MAX, SIZE_MAX) / elsz;
+      ptrdiff_t c_bound =
+        (min (PTRDIFF_MAX, SIZE_MAX) - bidi_shelve_header_size) / elsz;
 
-      if (min (string_or_buffer_bound, c_bound) <= idx)
-        memory_full (SIZE_MAX);
-      new_size = idx - idx % BIDI_CACHE_CHUNK + BIDI_CACHE_CHUNK;
-      bidi_cache = (struct bidi_it *) xrealloc (bidi_cache, new_size * elsz);
-      bidi_cache_size = new_size;
+      bidi_cache =
+        xpalloc (bidi_cache, &bidi_cache_size,
+                 max (BIDI_CACHE_CHUNK, idx - bidi_cache_size + 1),
+                 min (string_or_buffer_bound, c_bound), elsz);
     }
 }
 
@@ -540,7 +553,7 @@ bidi_cache_iterator_state (struct bidi_it *bidi_it, int resolved)
       bidi_cache[idx].next_for_ws = bidi_it->next_for_ws;
       bidi_cache[idx].ignore_bn_limit = bidi_it->ignore_bn_limit;
       bidi_cache[idx].disp_pos = bidi_it->disp_pos;
-      bidi_cache[idx].disp_prop_p = bidi_it->disp_prop_p;
+      bidi_cache[idx].disp_prop = bidi_it->disp_prop;
     }
 
   bidi_cache_last_idx = idx;
@@ -580,11 +593,6 @@ bidi_peek_at_next_level (struct bidi_it *bidi_it)
 /***********************************************************************
              Pushing and popping the bidi iterator state
  ***********************************************************************/
-/* 5-slot stack for saving the start of the previous level of the
-   cache.  xdisp.c maintains a 5-slot stack for its iterator state,
-   and we need the same size of our stack.  */
-static ptrdiff_t bidi_cache_start_stack[IT_STACK_SIZE];
-static int bidi_cache_sp;
 
 /* Push the bidi iterator state in preparation for reordering a
    different object, e.g. display string found at certain buffer
@@ -639,21 +647,16 @@ void *
 bidi_shelve_cache (void)
 {
   unsigned char *databuf;
+  ptrdiff_t alloc;
 
   /* Empty cache.  */
   if (bidi_cache_idx == 0)
     return NULL;
 
-  databuf = xmalloc (sizeof (bidi_cache_idx)
-                     + bidi_cache_idx * sizeof (struct bidi_it)
-                     + sizeof (bidi_cache_start_stack)
-                     + sizeof (bidi_cache_sp) + sizeof (bidi_cache_start)
-                     + sizeof (bidi_cache_last_idx));
-  bidi_cache_total_alloc +=
-    sizeof (bidi_cache_idx) + bidi_cache_idx * sizeof (struct bidi_it)
-    + sizeof (bidi_cache_start_stack)
-    + sizeof (bidi_cache_sp) + sizeof (bidi_cache_start)
-    + sizeof (bidi_cache_last_idx);
+  alloc = (bidi_shelve_header_size
+           + bidi_cache_idx * sizeof (struct bidi_it));
+  databuf = xmalloc (alloc);
+  bidi_cache_total_alloc += alloc;
 
   memcpy (databuf, &bidi_cache_idx, sizeof (bidi_cache_idx));
   memcpy (databuf + sizeof (bidi_cache_idx),
@@ -706,9 +709,7 @@ bidi_unshelve_cache (void *databuf, int just_free)
 
           memcpy (&idx, p, sizeof (bidi_cache_idx));
           bidi_cache_total_alloc -=
-            sizeof (bidi_cache_idx) + idx * sizeof (struct bidi_it)
-            + sizeof (bidi_cache_start_stack) + sizeof (bidi_cache_sp)
-            + sizeof (bidi_cache_start) + sizeof (bidi_cache_last_idx);
+            bidi_shelve_header_size + idx * sizeof (struct bidi_it);
         }
       else
         {
@@ -737,9 +738,7 @@ bidi_unshelve_cache (void *databuf, int just_free)
                   + sizeof (bidi_cache_start),
                   sizeof (bidi_cache_last_idx));
           bidi_cache_total_alloc -=
-            sizeof (bidi_cache_idx) + bidi_cache_idx * sizeof (struct bidi_it)
-            + sizeof (bidi_cache_start_stack) + sizeof (bidi_cache_sp)
-            + sizeof (bidi_cache_start) + sizeof (bidi_cache_last_idx);
+            bidi_shelve_header_size + bidi_cache_idx * sizeof (struct bidi_it);
         }
 
       xfree (p);
@@ -828,7 +827,7 @@ bidi_init_it (EMACS_INT charpos, EMACS_INT bytepos, int frame_window_p,
     bidi_it->prev_for_neutral.orig_type = UNKNOWN_BT;
   bidi_it->sor = L2R;    /* FIXME: should it be user-selectable? */
   bidi_it->disp_pos = -1;       /* invalid/unknown */
-  bidi_it->disp_prop_p = 0;
+  bidi_it->disp_prop = 0;
   /* We can only shrink the cache if we are at the bottom level of its
      "stack".  */
   if (bidi_cache_start == 0)
@@ -908,19 +907,21 @@ bidi_char_at_pos (EMACS_INT bytepos, const unsigned char *s, int unibyte)
 
 /* Fetch and return the character at BYTEPOS/CHARPOS.  If that
    character is covered by a display string, treat the entire run of
-   covered characters as a single character u+FFFC, and return their
-   combined length in CH_LEN and NCHARS.  DISP_POS specifies the
-   character position of the next display string, or -1 if not yet
-   computed.  DISP_PROP_P non-zero means that there's really a display
-   string at DISP_POS, as opposed to when we searched till DISP_POS
-   without findingone.  When the next character is at or beyond that
+   covered characters as a single character, either u+2029 or u+FFFC,
+   and return their combined length in CH_LEN and NCHARS.  DISP_POS
+   specifies the character position of the next display string, or -1
+   if not yet computed.  When the next character is at or beyond that
    position, the function updates DISP_POS with the position of the
-   next display string.  STRING->s is the C string to iterate, or NULL
-   if iterating over a buffer or a Lisp string; in the latter case,
-   STRING->lstring is the Lisp string.  */
+   next display string.  DISP_PROP non-zero means that there's really
+   a display string at DISP_POS, as opposed to when we searched till
+   DISP_POS without finding one.  If DISP_PROP is 2, it means the
+   display spec is of the form `(space ...)', which is replaced with
+   u+2029 to handle it as a paragraph separator.  STRING->s is the C
+   string to iterate, or NULL if iterating over a buffer or a Lisp
+   string; in the latter case, STRING->lstring is the Lisp string.  */
 static inline int
 bidi_fetch_char (EMACS_INT bytepos, EMACS_INT charpos, EMACS_INT *disp_pos,
-                 int *disp_prop_p, struct bidi_string_data *string,
+                 int *disp_prop, struct bidi_string_data *string,
                  int frame_window_p, EMACS_INT *ch_len, EMACS_INT *nchars)
 {
   int ch;
@@ -934,7 +935,7 @@ bidi_fetch_char (EMACS_INT bytepos, EMACS_INT charpos, EMACS_INT *disp_pos,
     {
       SET_TEXT_POS (pos, charpos, bytepos);
       *disp_pos = compute_display_string_pos (&pos, string, frame_window_p,
-                                              disp_prop_p);
+                                              disp_prop);
     }
 
   /* Fetch the character at BYTEPOS.  */
@@ -944,9 +945,9 @@ bidi_fetch_char (EMACS_INT bytepos, EMACS_INT charpos, EMACS_INT *disp_pos,
       *ch_len = 1;
       *nchars = 1;
       *disp_pos = endpos;
-      *disp_prop_p = 0;
+      *disp_prop = 0;
     }
-  else if (charpos >= *disp_pos && *disp_prop_p)
+  else if (charpos >= *disp_pos && *disp_prop)
     {
       EMACS_INT disp_end_pos;
 
@@ -954,9 +955,23 @@ bidi_fetch_char (EMACS_INT bytepos, EMACS_INT charpos, EMACS_INT *disp_pos,
          property.  Hopefully, it will never be needed.  */
       if (charpos > *disp_pos)
         abort ();
-      /* Return the Unicode Object Replacement Character to represent
-         the entire run of characters covered by the display string.  */
-      ch = 0xFFFC;
+      /* Text covered by `display' properties and overlays with
+         display properties or display strings is handled as a single
+         character that represents the entire run of characters
+         covered by the display property.  */
+      if (*disp_prop == 2)
+        {
+          /* `(space ...)' display specs are handled as paragraph
+             separators for the purposes of the reordering; see UAX#9
+             section 3 and clause HL1 in section 4.3 there.  */
+          ch = 0x2029;
+        }
+      else
+        {
+          /* All other display specs are handled as the Unicode Object
+             Replacement Character.  */
+          ch = 0xFFFC;
+        }
       disp_end_pos = compute_display_string_end (*disp_pos, string);
       *nchars = disp_end_pos - *disp_pos;
       if (*nchars <= 0)
@@ -1014,11 +1029,11 @@ bidi_fetch_char (EMACS_INT bytepos, EMACS_INT charpos, EMACS_INT *disp_pos,
   /* If we just entered a run of characters covered by a display
      string, compute the position of the next display string.  */
   if (charpos + *nchars <= endpos && charpos + *nchars > *disp_pos
-      && *disp_prop_p)
+      && *disp_prop)
     {
       SET_TEXT_POS (pos, charpos + *nchars, bytepos + *ch_len);
       *disp_pos = compute_display_string_pos (&pos, string, frame_window_p,
-                                              disp_prop_p);
+                                              disp_prop);
     }
 
   return ch;
@@ -1126,7 +1141,7 @@ bidi_paragraph_init (bidi_dir_t dir, struct bidi_it *bidi_it, int no_default_p)
       int ch;
       EMACS_INT ch_len, nchars;
       EMACS_INT pos, disp_pos = -1;
-      int disp_prop_p = 0;
+      int disp_prop = 0;
       bidi_type_t type;
       const unsigned char *s;
 
@@ -1174,7 +1189,7 @@ bidi_paragraph_init (bidi_dir_t dir, struct bidi_it *bidi_it, int no_default_p)
         bytepos = pstartbyte;
         if (!string_p)
           pos = BYTE_TO_CHAR (bytepos);
-        ch = bidi_fetch_char (bytepos, pos, &disp_pos, &disp_prop_p,
+        ch = bidi_fetch_char (bytepos, pos, &disp_pos, &disp_prop,
                               &bidi_it->string,
                               bidi_it->frame_window_p, &ch_len, &nchars);
         type = bidi_get_type (ch, NEUTRAL_DIR);
@@ -1199,7 +1214,7 @@ bidi_paragraph_init (bidi_dir_t dir, struct bidi_it *bidi_it, int no_default_p)
               break;
             /* Fetch next character and advance to get past it.  */
             ch = bidi_fetch_char (bytepos, pos, &disp_pos,
-                                  &disp_prop_p, &bidi_it->string,
+                                  &disp_prop, &bidi_it->string,
                                   bidi_it->frame_window_p, &ch_len, &nchars);
             pos += nchars;
             bytepos += ch_len;
@@ -1336,7 +1351,7 @@ bidi_resolve_explicit_1 (struct bidi_it *bidi_it)
       bidi_it->ch_len = 1;
       bidi_it->nchars = 1;
       bidi_it->disp_pos = (string_p ? bidi_it->string.schars : ZV);
-      bidi_it->disp_prop_p = 0;
+      bidi_it->disp_prop = 0;
     }
   else
     {
@@ -1344,7 +1359,7 @@ bidi_resolve_explicit_1 (struct bidi_it *bidi_it)
          display string, treat the entire run of covered characters as
          a single character u+FFFC.  */
       curchar = bidi_fetch_char (bidi_it->bytepos, bidi_it->charpos,
-                                 &bidi_it->disp_pos, &bidi_it->disp_prop_p,
+                                 &bidi_it->disp_pos, &bidi_it->disp_prop,
                                  &bidi_it->string, bidi_it->frame_window_p,
                                  &bidi_it->ch_len, &bidi_it->nchars);
     }
@@ -2079,7 +2094,7 @@ bidi_level_of_next_char (struct bidi_it *bidi_it)
       struct bidi_string_data bs = bidi_it->string;
       bidi_type_t chtype;
       int fwp = bidi_it->frame_window_p;
-      int dpp = bidi_it->disp_prop_p;
+      int dpp = bidi_it->disp_prop;
 
       if (bidi_it->nchars <= 0)
         abort ();
diff --git a/src/buffer.c b/src/buffer.c
index 832044ae6f4..37d2975c8c7 100644
--- a/src/buffer.c
+++ b/src/buffer.c
@@ -2557,13 +2557,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
                  Either make it bigger, or don't store any more in it.  */
               if (extend)
                 {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
-                    memory_full (SIZE_MAX);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  *len_ptr = len;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
+                                 sizeof *vec);
                   *vec_ptr = vec;
+                  len = *len_ptr;
                 }
               else
                 inhibit_storing = 1;
@@ -2600,13 +2597,10 @@ overlays_at (EMACS_INT pos, int extend, Lisp_Object **vec_ptr,
             {
               if (extend)
                 {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
-                    memory_full (SIZE_MAX);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  *len_ptr = len;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
+                                 sizeof *vec);
                   *vec_ptr = vec;
+                  len = *len_ptr;
                 }
               else
                 inhibit_storing = 1;
@@ -2697,13 +2691,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
                  Either make it bigger, or don't store any more in it.  */
               if (extend)
                 {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
-                    memory_full (SIZE_MAX);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  *len_ptr = len;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
+                                 sizeof *vec);
                   *vec_ptr = vec;
+                  len = *len_ptr;
                 }
               else
                 inhibit_storing = 1;
@@ -2745,13 +2736,10 @@ overlays_in (EMACS_INT beg, EMACS_INT end, int extend,
             {
               if (extend)
                 {
-                  if ((OVERLAY_COUNT_MAX - 4) / 2 < len)
-                    memory_full (SIZE_MAX);
-                  /* Make it work with an initial len == 0.  */
-                  len = len * 2 + 4;
-                  *len_ptr = len;
-                  vec = (Lisp_Object *) xrealloc (vec, len * sizeof (Lisp_Object));
+                  vec = xpalloc (vec, len_ptr, 1, OVERLAY_COUNT_MAX,
+                                 sizeof *vec);
                   *vec_ptr = vec;
+                  len = *len_ptr;
                 }
               else
                 inhibit_storing = 1;
@@ -2933,7 +2921,7 @@ struct sortstrlist
   struct sortstr *buf;  /* An array that expands as needed; never freed.  */
   ptrdiff_t size;       /* Allocated length of that array.  */
   ptrdiff_t used;       /* How much of the array is currently in use.  */
-  EMACS_INT bytes;              /* Total length of the strings in buf.  */
+  ptrdiff_t bytes;      /* Total length of the strings in buf.  */
 };
 
 /* Buffers for storing information about the overlays touching a given
@@ -2944,7 +2932,7 @@ static struct sortstrlist overlay_heads, overlay_tails;
 static unsigned char *overlay_str_buf;
 
 /* Allocated length of overlay_str_buf.  */
-static EMACS_INT overlay_str_len;
+static ptrdiff_t overlay_str_len;
 
 /* A comparison function suitable for passing to qsort.  */
 static int
@@ -2966,17 +2954,7 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
   EMACS_INT nbytes;
 
   if (ssl->used == ssl->size)
-    {
-      if (min (PTRDIFF_MAX, SIZE_MAX) / (sizeof (struct sortstr) * 2)
-          < ssl->size)
-        memory_full (SIZE_MAX);
-      else if (0 < ssl->size)
-        ssl->size *= 2;
-      else
-        ssl->size = 5;
-      ssl->buf = ((struct sortstr *)
-                  xrealloc (ssl->buf, ssl->size * sizeof (struct sortstr)));
-    }
+    ssl->buf = xpalloc (ssl->buf, &ssl->size, 5, -1, sizeof *ssl->buf);
   ssl->buf[ssl->used].string = str;
   ssl->buf[ssl->used].string2 = str2;
   ssl->buf[ssl->used].size = size;
@@ -2991,6 +2969,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
   else
     nbytes = SBYTES (str);
 
+  if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
+    memory_full (SIZE_MAX);
   ssl->bytes += nbytes;
 
   if (STRINGP (str2))
@@ -3003,6 +2983,8 @@ record_overlay_string (struct sortstrlist *ssl, Lisp_Object str,
       else
         nbytes = SBYTES (str2);
 
+      if (INT_ADD_OVERFLOW (ssl->bytes, nbytes))
+        memory_full (SIZE_MAX);
       ssl->bytes += nbytes;
     }
 }
@@ -3096,14 +3078,15 @@ overlay_strings (EMACS_INT pos, struct window *w, unsigned char **pstr)
       Lisp_Object tem;
       EMACS_INT i;
       unsigned char *p;
-      EMACS_INT total = overlay_heads.bytes + overlay_tails.bytes;
+      ptrdiff_t total;
 
+      if (INT_ADD_OVERFLOW (overlay_heads.bytes, overlay_tails.bytes))
+        memory_full (SIZE_MAX);
+      total = overlay_heads.bytes + overlay_tails.bytes;
       if (total > overlay_str_len)
-        {
-          overlay_str_len = total;
-          overlay_str_buf = (unsigned char *)xrealloc (overlay_str_buf,
-                                                       total);
-        }
+        overlay_str_buf = xpalloc (overlay_str_buf, &overlay_str_len,
+                                   total - overlay_str_len, -1, 1);
+
       p = overlay_str_buf;
       for (i = overlay_tails.used; --i >= 0;)
         {
diff --git a/src/callproc.c b/src/callproc.c
index 3a91be3d8da..1bdb57a27d0 100644
--- a/src/callproc.c
+++ b/src/callproc.c
@@ -252,7 +252,7 @@ usage: (call-process PROGRAM &optional INFILE BUFFER DISPLAY &rest ARGS)  */)
           val = Qraw_text;
         else
           {
-            SAFE_ALLOCA (args2, Lisp_Object *, (nargs + 1) * sizeof *args2);
+            SAFE_NALLOCA (args2, 1, nargs + 1);
             args2[0] = Qcall_process;
             for (i = 0; i < nargs; i++) args2[i + 1] = args[i];
             coding_systems = Ffind_operation_coding_system (nargs + 1, args2);
@@ -726,7 +726,7 @@ usage: (call-process PROGRAM &optional INFILE BUFFER DISPLAY &rest ARGS)  */)
             {
               ptrdiff_t i;
 
-              SAFE_ALLOCA (args2, Lisp_Object *, (nargs + 1) * sizeof *args2);
+              SAFE_NALLOCA (args2, 1, nargs + 1);
               args2[0] = Qcall_process;
               for (i = 0; i < nargs; i++) args2[i + 1] = args[i];
               coding_systems
@@ -1024,7 +1024,7 @@ usage: (call-process-region START END PROGRAM &optional DELETE BUFFER DISPLAY &r
   else
     {
       USE_SAFE_ALLOCA;
-      SAFE_ALLOCA (args2, Lisp_Object *, (nargs + 1) * sizeof *args2);
+      SAFE_NALLOCA (args2, 1, nargs + 1);
       args2[0] = Qcall_process_region;
       for (i = 0; i < nargs; i++) args2[i + 1] = args[i];
       coding_systems = Ffind_operation_coding_system (nargs + 1, args2);
@@ -1153,7 +1153,7 @@ child_setup (int in, int out, int err, register char **new_argv, int set_pgrp, L
      cleaned up in the usual way. */
   {
     register char *temp;
-    register int i;
+    size_t i; /* size_t, because ptrdiff_t might overflow here!  */
 
     i = SBYTES (current_dir);
 #ifdef MSDOS
diff --git a/src/category.c b/src/category.c
index 08eadb04730..a822bb654b0 100644
--- a/src/category.c
+++ b/src/category.c
@@ -67,7 +67,7 @@ static Lisp_Object
 hash_get_category_set (Lisp_Object table, Lisp_Object category_set)
 {
   struct Lisp_Hash_Table *h;
-  EMACS_INT i;
+  ptrdiff_t i;
   EMACS_UINT hash;
 
   if (NILP (XCHAR_TABLE (table)->extras[1]))
diff --git a/src/ccl.c b/src/ccl.c
index 9cfcbfe8703..b28a284f70a 100644
--- a/src/ccl.c
+++ b/src/ccl.c
@@ -1303,7 +1303,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 
             case CCL_LookupIntConstTbl:
               {
-                EMACS_INT eop;
+                ptrdiff_t eop;
                 struct Lisp_Hash_Table *h;
                 GET_CCL_RANGE (eop, ccl_prog, ic++, 0,
                                (VECTORP (Vtranslation_hash_table_vector)
@@ -1329,7 +1329,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
 
             case CCL_LookupCharConstTbl:
               {
-                EMACS_INT eop;
+                ptrdiff_t eop;
                 struct Lisp_Hash_Table *h;
                 GET_CCL_RANGE (eop, ccl_prog, ic++, 0,
                                (VECTORP (Vtranslation_hash_table_vector)
@@ -1770,7 +1770,7 @@ ccl_driver (struct ccl_program *ccl, int *source, int *destination, int src_size
         }
 
       msglen = strlen (msg);
-      if (dst + msglen <= dst_end)
+      if (msglen <= dst_end - dst)
         {
           for (i = 0; i < msglen; i++)
             *dst++ = msg[i];
@@ -2061,12 +2061,13 @@ usage: (ccl-execute-on-string CCL-PROGRAM STATUS STRING &optional CONTINUE UNIBY
   Lisp_Object val;
   struct ccl_program ccl;
   int i;
-  EMACS_INT outbufsize;
+  ptrdiff_t outbufsize;
   unsigned char *outbuf, *outp;
-  EMACS_INT str_chars, str_bytes;
+  ptrdiff_t str_chars, str_bytes;
 #define CCL_EXECUTE_BUF_SIZE 1024
   int source[CCL_EXECUTE_BUF_SIZE], destination[CCL_EXECUTE_BUF_SIZE];
-  EMACS_INT consumed_chars, consumed_bytes, produced_chars;
+  ptrdiff_t consumed_chars, consumed_bytes, produced_chars;
+  int buf_magnification;
 
   if (setup_ccl_program (&ccl, ccl_prog) < 0)
     error ("Invalid CCL program");
@@ -2093,6 +2094,10 @@ usage: (ccl-execute-on-string CCL-PROGRAM STATUS STRING &optional CONTINUE UNIBY
         ccl.ic = i;
     }
 
+  buf_magnification = ccl.buf_magnification ? ccl.buf_magnification : 1;
+
+  if ((min (PTRDIFF_MAX, SIZE_MAX) - 256) / buf_magnification < str_bytes)
+    memory_full (SIZE_MAX);
   outbufsize = (ccl.buf_magnification
                 ? str_bytes * ccl.buf_magnification + 256
                 : str_bytes + 256);
@@ -2122,31 +2127,25 @@ usage: (ccl-execute-on-string CCL-PROGRAM STATUS STRING &optional CONTINUE UNIBY
       src_size = j;
       while (1)
         {
+          int max_expansion = NILP (unibyte_p) ? MAX_MULTIBYTE_LENGTH : 1;
+          ptrdiff_t offset, shortfall;
           ccl_driver (&ccl, src, destination, src_size, CCL_EXECUTE_BUF_SIZE,
                       Qnil);
           produced_chars += ccl.produced;
+          offset = outp - outbuf;
+          shortfall = ccl.produced * max_expansion - (outbufsize - offset);
+          if (0 < shortfall)
+            {
+              outbuf = xpalloc (outbuf, &outbufsize, shortfall, -1, 1);
+              outp = outbuf + offset;
+            }
           if (NILP (unibyte_p))
             {
-              if (outp - outbuf + MAX_MULTIBYTE_LENGTH * ccl.produced
-                  > outbufsize)
-                {
-                  EMACS_INT offset = outp - outbuf;
-                  outbufsize += MAX_MULTIBYTE_LENGTH * ccl.produced;
-                  outbuf = (unsigned char *) xrealloc (outbuf, outbufsize);
-                  outp = outbuf + offset;
-                }
               for (j = 0; j < ccl.produced; j++)
                 CHAR_STRING_ADVANCE (destination[j], outp);
             }
           else
             {
-              if (outp - outbuf + ccl.produced > outbufsize)
-                {
-                  EMACS_INT offset = outp - outbuf;
-                  outbufsize += ccl.produced;
-                  outbuf = (unsigned char *) xrealloc (outbuf, outbufsize);
-                  outp = outbuf + offset;
-                }
               for (j = 0; j < ccl.produced; j++)
                 *outp++ = destination[j];
             }
diff --git a/src/character.c b/src/character.c
index 8e9b3e3775e..fb9b8a9b93e 100644
--- a/src/character.c
+++ b/src/character.c
@@ -326,7 +326,7 @@ usage: (char-width CHAR)  */)
   disp = dp ? DISP_CHAR_VECTOR (dp, c) : Qnil;
 
   if (VECTORP (disp))
-    width = ASIZE (disp);
+    width = sanitize_char_width (ASIZE (disp));
   else
     width = CHAR_WIDTH (c);
 
@@ -358,7 +358,7 @@ c_string_width (const unsigned char *str, EMACS_INT len, int precision,
         {
           val = DISP_CHAR_VECTOR (dp, c);
           if (VECTORP (val))
-            thiswidth = ASIZE (val);
+            thiswidth = sanitize_char_width (ASIZE (val));
           else
             thiswidth = CHAR_WIDTH (c);
         }
@@ -423,7 +423,7 @@ lisp_string_width (Lisp_Object string, EMACS_INT precision,
     {
       EMACS_INT chars, bytes, thiswidth;
       Lisp_Object val;
-      int cmp_id;
+      ptrdiff_t cmp_id;
       EMACS_INT ignore, end;
 
       if (find_composition (i, -1, &ignore, &end, &val, string)
@@ -451,7 +451,7 @@ lisp_string_width (Lisp_Object string, EMACS_INT precision,
             {
               val = DISP_CHAR_VECTOR (dp, c);
               if (VECTORP (val))
-                thiswidth = ASIZE (val);
+                thiswidth = sanitize_char_width (ASIZE (val));
               else
                 thiswidth = CHAR_WIDTH (c);
             }
@@ -902,7 +902,7 @@ usage: (string &rest CHARACTERS)  */)
   Lisp_Object str;
   USE_SAFE_ALLOCA;
 
-  SAFE_ALLOCA (buf, unsigned char *, MAX_MULTIBYTE_LENGTH * n);
+  SAFE_NALLOCA (buf, MAX_MULTIBYTE_LENGTH, n);
   p = buf;
 
   for (i = 0; i < n; i++)
diff --git a/src/character.h b/src/character.h
index 063b5147dc9..09bcf17ab96 100644
--- a/src/character.h
+++ b/src/character.h
@@ -556,6 +556,16 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
   } while (0)
 
 
+/* Return a non-outlandish value for the tab width.  */
+
+#define SANE_TAB_WIDTH(buf) \
+  sanitize_tab_width (XFASTINT (BVAR (buf, tab_width)))
+static inline int
+sanitize_tab_width (EMACS_INT width)
+{
+  return 0 < width && width <= 1000 ? width : 8;
+}
+
 /* Return the width of ASCII character C.  The width is measured by
    how many columns C will occupy on the screen when displayed in the
    current buffer.  */
@@ -563,12 +573,20 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 #define ASCII_CHAR_WIDTH(c)                                             \
   (c < 0x20                                                             \
    ? (c == '\t'                                                         \
-      ? XFASTINT (BVAR (current_buffer, tab_width))                             \
+      ? SANE_TAB_WIDTH (current_buffer)                                 \
       : (c == '\n' ? 0 : (NILP (BVAR (current_buffer, ctl_arrow)) ? 4 : 2)))    \
    : (c < 0x7f                                                          \
       ? 1                                                               \
       : ((NILP (BVAR (current_buffer, ctl_arrow)) ? 4 : 2))))
 
+/* Return a non-outlandish value for a character width.  */
+
+static inline int
+sanitize_char_width (EMACS_INT width)
+{
+  return 0 <= width && width <= 1000 ? width : 1000;
+}
+
 /* Return the width of character C.  The width is measured by how many
    columns C will occupy on the screen when displayed in the current
    buffer.  */
@@ -576,7 +594,7 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
 #define CHAR_WIDTH(c)           \
   (ASCII_CHAR_P (c)             \
    ? ASCII_CHAR_WIDTH (c)       \
-   : XINT (CHAR_TABLE_REF (Vchar_width_table, c)))
+   : sanitize_char_width (XINT (CHAR_TABLE_REF (Vchar_width_table, c))))
 
 /* If C is a variation selector, return the index numnber of the
    variation selector (1..256).  Otherwise, return 0.  */
diff --git a/src/charset.c b/src/charset.c
index 55234aa76aa..6967b9df611 100644
--- a/src/charset.c
+++ b/src/charset.c
@@ -61,7 +61,7 @@ Lisp_Object Vcharset_hash_table;
 /* Table of struct charset.  */
 struct charset *charset_table;
 
-static int charset_table_size;
+static ptrdiff_t charset_table_size;
 static int charset_table_used;
 
 Lisp_Object Qcharsetp;
@@ -419,7 +419,7 @@ load_charset_map (struct charset *charset, struct charset_map_entries *entries,
    paying attention to comment character '#'.  */
 
 static inline unsigned
-read_hex (FILE *fp, int *eof)
+read_hex (FILE *fp, int *eof, int *overflow)
 {
   int c;
   unsigned n;
@@ -441,15 +441,16 @@ read_hex (FILE *fp, int *eof)
       *eof = 1;
       return 0;
     }
-  *eof = 0;
   n = 0;
-  if (c == 'x')
-    while ((c = getc (fp)) != EOF && isxdigit (c))
+  while (isxdigit (c = getc (fp)))
+    {
+      if (UINT_MAX >> 4 < n)
+        *overflow = 1;
       n = ((n << 4)
-           | (c <= '9' ? c - '0' : c <= 'F' ? c - 'A' + 10 : c - 'a' + 10));
-  else
-    while ((c = getc (fp)) != EOF && isdigit (c))
-      n = (n * 10) + c - '0';
+           | (c - ('0' <= c && c <= '9' ? '0'
+                   : 'A' <= c && c <= 'F' ? 'A' - 10
+                   : 'a' - 10)));
+    }
   if (c != EOF)
     ungetc (c, fp);
   return n;
@@ -479,7 +480,6 @@ load_charset_map_from_file (struct charset *charset, Lisp_Object mapfile, int co
   unsigned max_code = CHARSET_MAX_CODE (charset);
   int fd;
   FILE *fp;
-  int eof;
   Lisp_Object suffixes;
   struct charset_map_entries *head, *entries;
   int n_entries, count;
@@ -504,22 +504,27 @@ load_charset_map_from_file (struct charset *charset, Lisp_Object mapfile, int co
   memset (entries, 0, sizeof (struct charset_map_entries));
 
   n_entries = 0;
-  eof = 0;
   while (1)
     {
-      unsigned from, to;
-      int c;
+      unsigned from, to, c;
       int idx;
+      int eof = 0, overflow = 0;
 
-      from = read_hex (fp, &eof);
+      from = read_hex (fp, &eof, &overflow);
       if (eof)
         break;
       if (getc (fp) == '-')
-        to = read_hex (fp, &eof);
+        to = read_hex (fp, &eof, &overflow);
       else
         to = from;
-      c = (int) read_hex (fp, &eof);
+      if (eof)
+        break;
+      c = read_hex (fp, &eof, &overflow);
+      if (eof)
+        break;
 
+      if (overflow)
+        continue;
       if (from < min_code || to > max_code || from > to || c > MAX_CHAR)
         continue;
 
@@ -1145,13 +1150,25 @@ usage: (define-charset-internal ...)  */)
                                      hash_code);
       if (charset_table_used == charset_table_size)
         {
-          struct charset *new_table
-            = (struct charset *) xmalloc (sizeof (struct charset)
-                                          * (charset_table_size + 16));
-          memcpy (new_table, charset_table,
-                  sizeof (struct charset) * charset_table_size);
-          charset_table_size += 16;
+          /* Ensure that charset IDs fit into 'int' as well as into the
+             restriction imposed by fixnums.  Although the 'int' restriction
+             could be removed, too much other code would need altering; for
+             example, the IDs are stuffed into struct
+             coding_system.charbuf[i] entries, which are 'int'.  */
+          int old_size = charset_table_size;
+          struct charset *new_table =
+            xpalloc (0, &charset_table_size, 1,
+                     min (INT_MAX, MOST_POSITIVE_FIXNUM),
+                     sizeof *charset_table);
+          memcpy (new_table, charset_table, old_size * sizeof *new_table);
           charset_table = new_table;
+          /* FIXME: Doesn't this leak memory?  The old charset_table becomes
+             unreachable.  It could be that this is intentional, because the
+             old charset table may be in a dumped emacs, and reallocating such
+             a table may not work.  If the memory leak is intentional, a
+             comment should be added to explain this.  If not, the old
+             charset_table should be freed, by passing it as the 1st argument
+             to xpalloc and removing the memcpy.  */
         }
       id = charset_table_used++;
       new_definition_p = 1;
@@ -2210,14 +2227,16 @@ struct charset_sort_data
 {
   Lisp_Object charset;
   int id;
-  int priority;
+  ptrdiff_t priority;
 };
 
 static int
 charset_compare (const void *d1, const void *d2)
 {
   const struct charset_sort_data *data1 = d1, *data2 = d2;
-  return (data1->priority - data2->priority);
+  if (data1->priority != data2->priority)
+    return data1->priority < data2->priority ? -1 : 1;
+  return 0;
 }
 
 DEFUN ("sort-charsets", Fsort_charsets, Ssort_charsets, 1, 1, 0,
@@ -2227,7 +2246,8 @@ See also `charset-priority-list' and `set-charset-priority'.  */)
      (Lisp_Object charsets)
 {
   Lisp_Object len = Flength (charsets);
-  int n = XFASTINT (len), i, j, done;
+  ptrdiff_t n = XFASTINT (len), i, j;
+  int done;
   Lisp_Object tail, elt, attrs;
   struct charset_sort_data *sort_data;
   int id, min_id = INT_MAX, max_id = INT_MIN;
@@ -2235,7 +2255,7 @@ See also `charset-priority-list' and `set-charset-priority'.  */)
 
   if (n == 0)
     return Qnil;
-  SAFE_ALLOCA (sort_data, struct charset_sort_data *, sizeof (*sort_data) * n);
+  SAFE_NALLOCA (sort_data, 1, n);
   for (tail = charsets, i = 0; CONSP (tail); tail = XCDR (tail), i++)
     {
       elt = XCAR (tail);
@@ -2310,6 +2330,17 @@ init_charset_once (void)
 void
 syms_of_charset (void)
 {
+  /* Allocate an initial charset table that is just under 64 KiB in size.
+     This should be large enough so that the charset table need not be
+     reallocated during an initial bootstrap.  Allocating anything larger than
+     64 KiB in an initial run may not work, because glibc malloc might use
+     mmap for larger allocations, and these don't work well across dumped
+     systems.  */
+  enum {
+    initial_malloc_max = (1 << 16) - 1,
+    charset_table_size_init = initial_malloc_max / sizeof (struct charset)
+  };
+
   DEFSYM (Qcharsetp, "charsetp");
 
   DEFSYM (Qascii, "ascii");
@@ -2342,9 +2373,9 @@ syms_of_charset (void)
     Vcharset_hash_table = Fmake_hash_table (2, args);
   }
 
-  charset_table_size = 128;
-  charset_table = ((struct charset *)
-                   xmalloc (sizeof (struct charset) * charset_table_size));
+  charset_table = (struct charset *) xmalloc (sizeof (struct charset)
+                                              * charset_table_size_init);
+  charset_table_size = charset_table_size_init;
   charset_table_used = 0;
 
   defsubr (&Scharsetp);
diff --git a/src/charset.h b/src/charset.h
index c2a52a38e7e..be02bc0feae 100644
--- a/src/charset.h
+++ b/src/charset.h
@@ -148,7 +148,7 @@ struct charset
   int id;
 
   /* Index to Vcharset_hash_table.  */
-  EMACS_INT hash_index;
+  ptrdiff_t hash_index;
 
   /* Dimension of the charset: 1, 2, 3, or 4.  */
   int dimension;
@@ -341,7 +341,7 @@ extern int emacs_mule_charset[256];
    number of the charset.  Otherwise, signal an error. */
 #define CHECK_CHARSET_GET_ID(x, id)                                     \
   do {                                                                  \
-    int idx;                                                            \
+    ptrdiff_t idx;                                                      \
                                                                         \
     if (! SYMBOLP (x) || (idx = CHARSET_SYMBOL_HASH_INDEX (x)) < 0)     \
       wrong_type_argument (Qcharsetp, (x));                             \
diff --git a/src/cmds.c b/src/cmds.c
index c079ad7168f..5a155ac77a5 100644
--- a/src/cmds.c
+++ b/src/cmds.c
@@ -472,7 +472,7 @@ internal_self_insert (int c, EMACS_INT n)
     {
       USE_SAFE_ALLOCA;
       char *strn, *p;
-      SAFE_ALLOCA (strn, char *, n * len);
+      SAFE_NALLOCA (strn, len, n);
       for (p = strn; n > 0; n--, p += len)
         memcpy (p, str, len);
       insert_and_inherit (strn, p - strn);
diff --git a/src/coding.c b/src/coding.c
index 65c8a767c2b..5fd59d394d9 100644
--- a/src/coding.c
+++ b/src/coding.c
@@ -5838,7 +5838,7 @@ coding_charset_list (struct coding_system *coding)
 Lisp_Object
 coding_system_charset_list (Lisp_Object coding_system)
 {
-  int id;
+  ptrdiff_t id;
   Lisp_Object attrs, charset_list;
 
   CHECK_CODING_SYSTEM_GET_ID (coding_system, id);
@@ -6683,8 +6683,12 @@ produce_chars (struct coding_system *coding, Lisp_Object translation_table,
                     break;
                 }
 
-              if (dst + MAX_MULTIBYTE_LENGTH * to_nchars > dst_end)
+              if ((dst_end - dst) / MAX_MULTIBYTE_LENGTH < to_nchars)
                 {
+                  if (((min (PTRDIFF_MAX, SIZE_MAX) - (buf_end - buf))
+                       / MAX_MULTIBYTE_LENGTH)
+                      < to_nchars)
+                    memory_full (SIZE_MAX);
                   dst = alloc_destination (coding,
                                            buf_end - buf
                                            + MAX_MULTIBYTE_LENGTH * to_nchars,
@@ -7888,11 +7892,10 @@ encode_coding_object (struct coding_system *coding,
     }
   else if (EQ (dst_object, Qt))
     {
+      ptrdiff_t dst_bytes = max (1, coding->src_chars);
       coding->dst_object = Qnil;
-      coding->dst_bytes = coding->src_chars;
-      if (coding->dst_bytes == 0)
-        coding->dst_bytes = 1;
-      coding->destination = (unsigned char *) xmalloc (coding->dst_bytes);
+      coding->destination = (unsigned char *) xmalloc (dst_bytes);
+      coding->dst_bytes = dst_bytes;
       coding->dst_multibyte = 0;
     }
   else
@@ -8076,7 +8079,7 @@ detect_coding_system (const unsigned char *src,
   Lisp_Object attrs, eol_type;
   Lisp_Object val = Qnil;
   struct coding_system coding;
-  int id;
+  ptrdiff_t id;
   struct coding_detection_info detect_info;
   enum coding_category base_category;
   int null_byte_found = 0, eight_bit_found = 0;
diff --git a/src/coding.h b/src/coding.h
index 85e153dcc3a..fdf9b762e75 100644
--- a/src/coding.h
+++ b/src/coding.h
@@ -415,7 +415,7 @@ struct coding_system
      setup_coding_system.  At the early stage of building time, this
      value is -1 in the array coding_categories to indicate that no
      coding-system of that category is yet defined.  */
-  int id;
+  ptrdiff_t id;
 
   /* Flag bits of the coding system.  The meaning of each bit is common
      to all types of coding systems.  */
diff --git a/src/composite.c b/src/composite.c
index 3308a028042..2a3fbe29552 100644
--- a/src/composite.c
+++ b/src/composite.c
@@ -142,10 +142,10 @@ Lisp_Object Qcomposition;
 struct composition **composition_table;
 
 /* The current size of `composition_table'.  */
-static int composition_table_size;
+static ptrdiff_t composition_table_size;
 
 /* Number of compositions currently made. */
-int n_compositions;
+ptrdiff_t n_compositions;
 
 /* Hash table for compositions.  The key is COMPONENTS-VEC of
    `composition' property.  The value is the corresponding
@@ -172,19 +172,30 @@ Lisp_Object composition_temp;
 
    If the composition is invalid, return -1.  */
 
-int
+ptrdiff_t
 get_composition_id (EMACS_INT charpos, EMACS_INT bytepos, EMACS_INT nchars,
                     Lisp_Object prop, Lisp_Object string)
 {
   Lisp_Object id, length, components, key, *key_contents;
-  int glyph_len;
+  ptrdiff_t glyph_len;
   struct Lisp_Hash_Table *hash_table = XHASH_TABLE (composition_hash_table);
-  EMACS_INT hash_index;
+  ptrdiff_t hash_index;
   EMACS_UINT hash_code;
+  enum composition_method method;
   struct composition *cmp;
   EMACS_INT i;
   int ch;
 
+  /* Maximum length of a string of glyphs.  XftGlyphExtents limits
+     this to INT_MAX, and Emacs limits it further.  Divide INT_MAX - 1
+     by 2 because x_produce_glyphs computes glyph_len * 2 + 1.  Divide
+     the size by MAX_MULTIBYTE_LENGTH because encode_terminal_code
+     multiplies glyph_len by MAX_MULTIBYTE_LENGTH.  */
+  enum {
+    GLYPH_LEN_MAX = min ((INT_MAX - 1) / 2,
+                         min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH)
+  };
+
   /* PROP should be
         Form-A: ((LENGTH . COMPONENTS) . MODIFICATION-FUNC)
      or
@@ -258,21 +269,9 @@ get_composition_id (EMACS_INT charpos, EMACS_INT bytepos, EMACS_INT nchars,
   /* This composition is a new one.  We must register it.  */
 
   /* Check if we have sufficient memory to store this information.  */
-  if (composition_table_size == 0)
-    {
-      composition_table_size = 256;
-      composition_table
-        = (struct composition **) xmalloc (sizeof (composition_table[0])
-                                           * composition_table_size);
-    }
-  else if (composition_table_size <= n_compositions)
-    {
-      composition_table_size += 256;
-      composition_table
-        = (struct composition **) xrealloc (composition_table,
-                                            sizeof (composition_table[0])
-                                            * composition_table_size);
-    }
+  if (composition_table_size <= n_compositions)
+    composition_table = xpalloc (composition_table, &composition_table_size,
+                                 1, -1, sizeof *composition_table);
 
   key_contents = XVECTOR (key)->contents;
 
@@ -316,20 +315,26 @@ get_composition_id (EMACS_INT charpos, EMACS_INT bytepos, EMACS_INT nchars,
   /* Register the composition in composition_hash_table.  */
   hash_index = hash_put (hash_table, key, id, hash_code);
 
+  method = (NILP (components)
+            ? COMPOSITION_RELATIVE
+            : ((INTEGERP (components) || STRINGP (components))
+               ? COMPOSITION_WITH_ALTCHARS
+               : COMPOSITION_WITH_RULE_ALTCHARS));
+
+  glyph_len = (method == COMPOSITION_WITH_RULE_ALTCHARS
+               ? (ASIZE (key) + 1) / 2
+               : ASIZE (key));
+
+  if (GLYPH_LEN_MAX < glyph_len)
+    memory_full (SIZE_MAX);
+
   /* Register the composition in composition_table.  */
   cmp = (struct composition *) xmalloc (sizeof (struct composition));
 
-  cmp->method = (NILP (components)
-                 ? COMPOSITION_RELATIVE
-                 : ((INTEGERP (components) || STRINGP (components))
-                    ? COMPOSITION_WITH_ALTCHARS
-                    : COMPOSITION_WITH_RULE_ALTCHARS));
+  cmp->method = method;
   cmp->hash_index = hash_index;
-  glyph_len = (cmp->method == COMPOSITION_WITH_RULE_ALTCHARS
-               ? (ASIZE (key) + 1) / 2
-               : ASIZE (key));
   cmp->glyph_len = glyph_len;
-  cmp->offsets = (short *) xmalloc (sizeof (short) * glyph_len * 2);
+  cmp->offsets = xnmalloc (glyph_len, 2 * sizeof *cmp->offsets);
   cmp->font = NULL;
 
   if (cmp->method != COMPOSITION_WITH_RULE_ALTCHARS)
@@ -656,7 +661,7 @@ static Lisp_Object
 gstring_lookup_cache (Lisp_Object header)
 {
   struct Lisp_Hash_Table *h = XHASH_TABLE (gstring_hash_table);
-  EMACS_INT i = hash_lookup (h, header, NULL);
+  ptrdiff_t i = hash_lookup (h, header, NULL);
 
   return (i >= 0 ? HASH_VALUE (h, i) : Qnil);
 }
@@ -691,7 +696,7 @@ composition_gstring_put_cache (Lisp_Object gstring, EMACS_INT len)
 }
 
 Lisp_Object
-composition_gstring_from_id (int id)
+composition_gstring_from_id (ptrdiff_t id)
 {
   struct Lisp_Hash_Table *h = XHASH_TABLE (gstring_hash_table);
 
diff --git a/src/composite.h b/src/composite.h
index 8cedfdbe352..c57e2a0e9b3 100644
--- a/src/composite.h
+++ b/src/composite.h
@@ -170,7 +170,7 @@ extern Lisp_Object composition_temp;
 
 struct composition {
   /* Number of glyphs of the composition components.  */
-  unsigned glyph_len;
+  int glyph_len;
 
   /* Width, ascent, and descent pixels of the composition.  */
   short pixel_width, ascent, descent;
@@ -193,7 +193,7 @@ struct composition {
   void *font;
 
   /* Pointer to an array of x-offset and y-offset (by pixels) of
-     glyphs.  This points to a sufficient memory space (sizeof (int) *
+     glyphs.  This points to a sufficient memory space (sizeof (short) *
      glyph_len * 2) that is allocated when the composition is
      registered in composition_table.  X-offset and Y-offset of Nth
      glyph are (2N)th and (2N+1)th elements respectively.  */
@@ -204,7 +204,7 @@ struct composition {
    COMPOSITION-ID.  */
 extern struct composition **composition_table;
 /* Number of the currently registered compositions.  */
-extern int n_compositions;
+extern ptrdiff_t n_compositions;
 
 /* Mask bits for CHECK_MASK arg to update_compositions.
    For a change in the region FROM and TO, check compositions ... */
@@ -216,8 +216,8 @@ extern int n_compositions;
 
 extern Lisp_Object Qcomposition;
 extern Lisp_Object composition_hash_table;
-extern int get_composition_id (EMACS_INT, EMACS_INT, EMACS_INT,
-                               Lisp_Object, Lisp_Object);
+extern ptrdiff_t get_composition_id (EMACS_INT, EMACS_INT, EMACS_INT,
+                                     Lisp_Object, Lisp_Object);
 extern int find_composition (EMACS_INT, EMACS_INT, EMACS_INT *, EMACS_INT *,
                              Lisp_Object *, Lisp_Object);
 extern void update_compositions (EMACS_INT, EMACS_INT, int);
@@ -299,7 +299,7 @@ struct face;
 struct font_metrics;
 
 extern Lisp_Object composition_gstring_put_cache (Lisp_Object, EMACS_INT);
-extern Lisp_Object composition_gstring_from_id (int);
+extern Lisp_Object composition_gstring_from_id (ptrdiff_t);
 extern int composition_gstring_p (Lisp_Object);
 extern int composition_gstring_width (Lisp_Object, EMACS_INT, EMACS_INT,
                                       struct font_metrics *);
diff --git a/src/dispextern.h b/src/dispextern.h
index 4d890fe6a37..641391b8c9c 100644
--- a/src/dispextern.h
+++ b/src/dispextern.h
@@ -582,7 +582,7 @@ struct glyph_pool
   struct glyph *glyphs;
 
   /* Allocated size of `glyphs'.  */
-  int nglyphs;
+  ptrdiff_t nglyphs;
 
   /* Number of rows and columns in a matrix.  */
   int nrows, ncolumns;
@@ -632,7 +632,7 @@ struct glyph_matrix
   struct glyph_row *rows;
 
   /* Number of elements allocated for the vector rows above.  */
-  int rows_allocated;
+  ptrdiff_t rows_allocated;
 
   /* The number of rows used by the window if all lines were displayed
      with the smallest possible character height.  */
@@ -1247,7 +1247,7 @@ struct glyph_string
   struct composition *cmp;
 
   /* If not negative, this string describes a compos.  */
-  int cmp_id;
+  ptrdiff_t cmp_id;
 
   /* Start and end glyph indices in a glyph-string.  */
   int cmp_from, cmp_to;
@@ -1718,7 +1718,8 @@ struct face_cache
   struct face **faces_by_id;
 
   /* The allocated size, and number of used slots of faces_by_id.  */
-  int size, used;
+  ptrdiff_t size;
+  int used;
 
   /* Flag indicating that attributes of the `menu' face have been
      changed.  */
@@ -1870,8 +1871,9 @@ struct bidi_it {
   bidi_dir_t sor;               /* direction of start-of-run in effect */
   int scan_dir;                 /* direction of text scan, 1: forw, -1: back */
   EMACS_INT disp_pos;           /* position of display string after ch */
-  int disp_prop_p;              /* if non-zero, there really is a
-                                   `display' property/string at disp_pos */
+  int disp_prop;                /* if non-zero, there really is a
+                                   `display' property/string at disp_pos;
+                                   if 2, the property is a `space' spec */
   int stack_idx;                /* index of current data on the stack */
   /* Note: Everything from here on is not copied/saved when the bidi
      iterator state is saved, pushed, or popped.  So only put here
@@ -2075,7 +2077,7 @@ struct composition_it
   EMACS_INT stop_pos;
   /* ID number of the composition or glyph-string.  If negative, we
      are not iterating over a composition now.  */
-  int id;
+  ptrdiff_t id;
   /* If non-negative, character that triggers the automatic
      composition at `stop_pos', and this is an automatic composition.
      If negative, this is a static composition.  This is set to -2
@@ -2265,7 +2267,7 @@ struct it
       struct {
         Lisp_Object object;
         struct it_slice slice;
-        int image_id;
+        ptrdiff_t image_id;
       } image;
       /* method == GET_FROM_COMPOSITION */
       struct {
@@ -2402,7 +2404,7 @@ struct it
   enum glyphless_display_method glyphless_method;
 
   /* If what == IT_IMAGE, the id of the image to display.  */
-  int image_id;
+  ptrdiff_t image_id;
 
 #ifdef HAVE_XWIDGETS  
   /* If what == IT_XWIDGET*/
@@ -2856,7 +2858,7 @@ struct image
   EMACS_UINT hash;
 
   /* Image id of this image.  */
-  int id;
+  ptrdiff_t id;
 
   /* Hash collision chain.  */
   struct image *next, *prev;
@@ -2875,13 +2877,13 @@ struct image_cache
   struct image **images;
 
   /* Allocated size of `images'.  */
-  unsigned size;
+  ptrdiff_t size;
 
   /* Number of images in the cache.  */
-  unsigned used;
+  ptrdiff_t used;
 
   /* Reference count (number of frames sharing this cache).  */
-  int refcount;
+  ptrdiff_t refcount;
 };
 
 
@@ -3148,7 +3150,7 @@ void w32_reset_fringes (void);
 extern int x_bitmap_height (struct frame *, ptrdiff_t);
 extern int x_bitmap_width (struct frame *, ptrdiff_t);
 extern int x_bitmap_pixmap (struct frame *, ptrdiff_t);
-extern void x_reference_bitmap (struct frame *, int);
+extern void x_reference_bitmap (struct frame *, ptrdiff_t);
 extern ptrdiff_t x_create_bitmap_from_data (struct frame *, char *,
                                             unsigned int, unsigned int);
 extern ptrdiff_t x_create_bitmap_from_file (struct frame *, Lisp_Object);
@@ -3169,7 +3171,7 @@ void clear_image_caches (Lisp_Object);
 void mark_image_cache (struct image_cache *);
 int valid_image_p (Lisp_Object);
 void prepare_image_for_display (struct frame *, struct image *);
-int lookup_image (struct frame *, Lisp_Object);
+ptrdiff_t lookup_image (struct frame *, Lisp_Object);
 
 unsigned long image_background (struct image *, struct frame *,
                                 XImagePtr_or_DC ximg);
diff --git a/src/dispnew.c b/src/dispnew.c
index a09421a9f15..751ff04f4d7 100644
--- a/src/dispnew.c
+++ b/src/dispnew.c
@@ -497,12 +497,12 @@ adjust_glyph_matrix (struct window *w, struct glyph_matrix *matrix, int x, int y
   /* Enlarge MATRIX->rows if necessary.  New rows are cleared.  */
   if (matrix->rows_allocated < dim.height)
     {
-      ptrdiff_t size = dim.height * sizeof (struct glyph_row);
+      int old_alloc = matrix->rows_allocated;
       new_rows = dim.height - matrix->rows_allocated;
-      matrix->rows = (struct glyph_row *) xrealloc (matrix->rows, size);
-      memset (matrix->rows + matrix->rows_allocated, 0,
-              new_rows * sizeof *matrix->rows);
-      matrix->rows_allocated = dim.height;
+      matrix->rows = xpalloc (matrix->rows, &matrix->rows_allocated,
+                              new_rows, INT_MAX, sizeof *matrix->rows);
+      memset (matrix->rows + old_alloc, 0,
+              (matrix->rows_allocated - old_alloc) * sizeof *matrix->rows);
     }
   else
     new_rows = 0;
@@ -574,9 +574,8 @@ adjust_glyph_matrix (struct window *w, struct glyph_matrix *matrix, int x, int y
           while (row < end)
             {
               row->glyphs[LEFT_MARGIN_AREA]
-                = (struct glyph *) xrealloc (row->glyphs[LEFT_MARGIN_AREA],
-                                             (dim.width
-                                              * sizeof (struct glyph)));
+                = xnrealloc (row->glyphs[LEFT_MARGIN_AREA],
+                             dim.width, sizeof (struct glyph));
 
               /* The mode line never has marginal areas.  */
               if (row == matrix->rows + dim.height - 1
@@ -1215,7 +1214,7 @@ line_draw_cost (struct glyph_matrix *matrix, int vpos)
   struct glyph *end = beg + row->used[TEXT_AREA];
   int len;
   Lisp_Object *glyph_table_base = GLYPH_TABLE_BASE;
-  int glyph_table_len = GLYPH_TABLE_LENGTH;
+  ptrdiff_t glyph_table_len = GLYPH_TABLE_LENGTH;
 
   /* Ignore trailing and leading spaces if we can.  */
   if (!FRAME_MUST_WRITE_SPACES (SELECTED_FRAME ())) /* XXX Is SELECTED_FRAME OK here? */
@@ -1389,7 +1388,7 @@ free_glyph_pool (struct glyph_pool *pool)
 static int
 realloc_glyph_pool (struct glyph_pool *pool, struct dim matrix_dim)
 {
-  int needed;
+  ptrdiff_t needed;
   int changed_p;
 
   changed_p = (pool->glyphs == 0
@@ -1397,24 +1396,17 @@ realloc_glyph_pool (struct glyph_pool *pool, struct dim matrix_dim)
                || matrix_dim.width != pool->ncolumns);
 
   /* Enlarge the glyph pool.  */
-  needed = matrix_dim.width * matrix_dim.height;
+  needed = matrix_dim.width;
+  if (INT_MULTIPLY_OVERFLOW (needed, matrix_dim.height))
+    memory_full (SIZE_MAX);
+  needed *= matrix_dim.height;
   if (needed > pool->nglyphs)
     {
-      ptrdiff_t size = needed * sizeof (struct glyph);
-
-      if (pool->glyphs)
-        {
-          pool->glyphs = (struct glyph *) xrealloc (pool->glyphs, size);
-          memset (pool->glyphs + pool->nglyphs, 0,
-                  size - pool->nglyphs * sizeof (struct glyph));
-        }
-      else
-        {
-          pool->glyphs = (struct glyph *) xmalloc (size);
-          memset (pool->glyphs, 0, size);
-        }
-
-      pool->nglyphs = needed;
+      ptrdiff_t old_nglyphs = pool->nglyphs;
+      pool->glyphs = xpalloc (pool->glyphs, &pool->nglyphs,
+                              needed - old_nglyphs, -1, sizeof *pool->glyphs);
+      memset (pool->glyphs + old_nglyphs, 0,
+              (pool->nglyphs - old_nglyphs) * sizeof *pool->glyphs);
     }
 
   /* Remember the number of rows and columns because (a) we use them
@@ -4167,7 +4159,7 @@ struct row_entry
   int new_line_number;
 
   /* Bucket index of this row_entry in the hash table row_table.  */
-  int bucket;
+  ptrdiff_t bucket;
 
   /* The row described by this entry.  */
   struct glyph_row *row;
@@ -4181,29 +4173,29 @@ struct row_entry
    that we need a larger one.  */
 
 static struct row_entry *row_entry_pool;
-static int row_entry_pool_size;
+static ptrdiff_t row_entry_pool_size;
 
 /* Index of next free entry in row_entry_pool.  */
 
-static int row_entry_idx;
+static ptrdiff_t row_entry_idx;
 
 /* The hash table used during scrolling, and the table's size.  This
    table is used to quickly identify equal rows in the desired and
    current matrix.  */
 
 static struct row_entry **row_table;
-static int row_table_size;
+static ptrdiff_t row_table_size;
 
 /* Vectors of pointers to row_entry structures belonging to the
    current and desired matrix, and the size of the vectors.  */
 
 static struct row_entry **old_lines, **new_lines;
-static int old_lines_size, new_lines_size;
+static ptrdiff_t old_lines_size, new_lines_size;
 
 /* A pool to allocate run structures from, and its size.  */
 
 static struct run *run_pool;
-static int runs_size;
+static ptrdiff_t runs_size;
 
 /* A vector of runs of lines found during scrolling.  */
 
@@ -4215,7 +4207,7 @@ static inline struct row_entry *
 add_row_entry (struct glyph_row *row)
 {
   struct row_entry *entry;
-  int i = row->hash % row_table_size;
+  ptrdiff_t i = row->hash % row_table_size;
 
   entry = row_table[i];
   while (entry && !row_equal_p (entry->row, row, 1))
@@ -4268,9 +4260,10 @@ scrolling_window (struct window *w, int header_line_p)
   struct glyph_matrix *desired_matrix = w->desired_matrix;
   struct glyph_matrix *current_matrix = w->current_matrix;
   int yb = window_text_bottom_y (w);
-  int i, j, first_old, first_new, last_old, last_new;
-  int nruns, n, run_idx;
-  ptrdiff_t nbytes;
+  ptrdiff_t i;
+  int j, first_old, first_new, last_old, last_new;
+  int nruns, run_idx;
+  ptrdiff_t n;
   struct row_entry *entry;
   struct redisplay_interface *rif = FRAME_RIF (XFRAME (WINDOW_FRAME (w)));
 
@@ -4361,45 +4354,59 @@ scrolling_window (struct window *w, int header_line_p)
   if (last_new == first_new)
     return 0;
 
+  /* Check for integer overflow in size calculation.
+
+     If next_almost_prime checks (N) for divisibility by 2..10, then
+     it can return at most N + 10, e.g., next_almost_prime (1) == 11.
+     So, set next_almost_prime_increment_max to 10.
+
+     It's just a coincidence that next_almost_prime_increment_max ==
+     NEXT_ALMOST_PRIME_LIMIT - 1.  If NEXT_ALMOST_PRIME_LIMIT were
+     13, then next_almost_prime_increment_max would be 14, e.g.,
+     because next_almost_prime (113) would be 127.  */
+  {
+    verify (NEXT_ALMOST_PRIME_LIMIT == 11);
+    enum { next_almost_prime_increment_max = 10 };
+    ptrdiff_t row_table_max =
+      (min (PTRDIFF_MAX, SIZE_MAX) / (3 * sizeof *row_table)
+       - next_almost_prime_increment_max);
+    ptrdiff_t current_nrows_max = row_table_max - desired_matrix->nrows;
+    if (current_nrows_max < current_matrix->nrows)
+      memory_full (SIZE_MAX);
+  }
+
   /* Reallocate vectors, tables etc. if necessary.  */
 
   if (current_matrix->nrows > old_lines_size)
-    {
-      old_lines_size = current_matrix->nrows;
-      nbytes = old_lines_size * sizeof *old_lines;
-      old_lines = (struct row_entry **) xrealloc (old_lines, nbytes);
-    }
+    old_lines = xpalloc (old_lines, &old_lines_size,
+                         current_matrix->nrows - old_lines_size,
+                         INT_MAX, sizeof *old_lines);
 
   if (desired_matrix->nrows > new_lines_size)
-    {
-      new_lines_size = desired_matrix->nrows;
-      nbytes = new_lines_size * sizeof *new_lines;
-      new_lines = (struct row_entry **) xrealloc (new_lines, nbytes);
-    }
+    new_lines = xpalloc (new_lines, &new_lines_size,
+                         desired_matrix->nrows - new_lines_size,
+                         INT_MAX, sizeof *new_lines);
 
-  n = desired_matrix->nrows + current_matrix->nrows;
-  if (3 * n > row_table_size)
+  n = desired_matrix->nrows;
+  n += current_matrix->nrows;
+  if (row_table_size < 3 * n)
     {
-      row_table_size = next_almost_prime (3 * n);
-      nbytes = row_table_size * sizeof *row_table;
-      row_table = (struct row_entry **) xrealloc (row_table, nbytes);
-      memset (row_table, 0, nbytes);
+      ptrdiff_t size = next_almost_prime (3 * n);
+      row_table = xnrealloc (row_table, size, sizeof *row_table);
+      row_table_size = size;
+      memset (row_table, 0, size * sizeof *row_table);
     }
 
   if (n > row_entry_pool_size)
-    {
-      row_entry_pool_size = n;
-      nbytes = row_entry_pool_size * sizeof *row_entry_pool;
-      row_entry_pool = (struct row_entry *) xrealloc (row_entry_pool, nbytes);
-    }
+    row_entry_pool = xpalloc (row_entry_pool, &row_entry_pool_size,
+                              n - row_entry_pool_size,
+                              -1, sizeof *row_entry_pool);
 
   if (desired_matrix->nrows > runs_size)
     {
+      runs = xnrealloc (runs, desired_matrix->nrows, sizeof *runs);
+      run_pool = xnrealloc (run_pool, desired_matrix->nrows, sizeof *run_pool);
       runs_size = desired_matrix->nrows;
-      nbytes = runs_size * sizeof *runs;
-      runs = (struct run **) xrealloc (runs, nbytes);
-      nbytes = runs_size * sizeof *run_pool;
-      run_pool = (struct run *) xrealloc (run_pool, nbytes);
     }
 
   nruns = run_idx = 0;
diff --git a/src/doc.c b/src/doc.c
index 69646f5af51..83e943c42b8 100644
--- a/src/doc.c
+++ b/src/doc.c
@@ -39,7 +39,7 @@ Lisp_Object Qfunction_documentation;
 extern Lisp_Object Qclosure;
 /* Buffer used for reading from documentation file.  */
 static char *get_doc_string_buffer;
-static int get_doc_string_buffer_size;
+static ptrdiff_t get_doc_string_buffer_size;
 
 static unsigned char *read_bytecode_pointer;
 static Lisp_Object Fdocumentation_property (Lisp_Object, Lisp_Object,
@@ -166,20 +166,19 @@ get_doc_string (Lisp_Object filepos, int unibyte, int definition)
   p = get_doc_string_buffer;
   while (1)
     {
-      EMACS_INT space_left = (get_doc_string_buffer_size
+      ptrdiff_t space_left = (get_doc_string_buffer_size - 1
                               - (p - get_doc_string_buffer));
       int nread;
 
       /* Allocate or grow the buffer if we need to.  */
-      if (space_left == 0)
+      if (space_left <= 0)
         {
-          EMACS_INT in_buffer = p - get_doc_string_buffer;
-          get_doc_string_buffer_size += 16 * 1024;
-          get_doc_string_buffer
-            = (char *) xrealloc (get_doc_string_buffer,
-                                 get_doc_string_buffer_size + 1);
+          ptrdiff_t in_buffer = p - get_doc_string_buffer;
+          get_doc_string_buffer =
+            xpalloc (get_doc_string_buffer, &get_doc_string_buffer_size,
+                     16 * 1024, -1, 1);
           p = get_doc_string_buffer + in_buffer;
-          space_left = (get_doc_string_buffer_size
+          space_left = (get_doc_string_buffer_size - 1
                         - (p - get_doc_string_buffer));
         }
 
@@ -713,16 +712,16 @@ a new string, without any text properties, is returned.  */)
   int changed = 0;
   register unsigned char *strp;
   register char *bufp;
-  EMACS_INT idx;
-  EMACS_INT bsize;
+  ptrdiff_t idx;
+  ptrdiff_t bsize;
   Lisp_Object tem;
   Lisp_Object keymap;
   unsigned char *start;
-  EMACS_INT length, length_byte;
+  ptrdiff_t length, length_byte;
   Lisp_Object name;
   struct gcpro gcpro1, gcpro2, gcpro3, gcpro4;
   int multibyte;
-  EMACS_INT nchars;
+  ptrdiff_t nchars;
 
   if (NILP (string))
     return Qnil;
@@ -774,7 +773,7 @@ a new string, without any text properties, is returned.  */)
         }
       else if (strp[0] == '\\' && strp[1] == '[')
         {
-          EMACS_INT start_idx;
+          ptrdiff_t start_idx;
           int follow_remap = 1;
 
           changed = 1;
@@ -813,7 +812,9 @@ a new string, without any text properties, is returned.  */)
 
           if (NILP (tem))       /* but not on any keys */
             {
-              EMACS_INT offset = bufp - buf;
+              ptrdiff_t offset = bufp - buf;
+              if (STRING_BYTES_BOUND - 4 < bsize)
+                string_overflow ();
               buf = (char *) xrealloc (buf, bsize += 4);
               bufp = buf + offset;
               memcpy (bufp, "M-x ", 4);
@@ -836,7 +837,7 @@ a new string, without any text properties, is returned.  */)
       else if (strp[0] == '\\' && (strp[1] == '{' || strp[1] == '<'))
         {
           struct buffer *oldbuf;
-          EMACS_INT start_idx;
+          ptrdiff_t start_idx;
           /* This is for computing the SHADOWS arg for describe_map_tree.  */
           Lisp_Object active_maps = Fcurrent_active_maps (Qnil, Qnil);
           Lisp_Object earlier_maps;
@@ -907,7 +908,9 @@ a new string, without any text properties, is returned.  */)
           length_byte = SBYTES (tem);
         subst:
           {
-            EMACS_INT offset = bufp - buf;
+            ptrdiff_t offset = bufp - buf;
+            if (STRING_BYTES_BOUND - length_byte < bsize)
+              string_overflow ();
             buf = (char *) xrealloc (buf, bsize += length_byte);
             bufp = buf + offset;
             memcpy (bufp, start, length_byte);
diff --git a/src/editfns.c b/src/editfns.c
index 297f7b6d7e4..6759016766f 100644
--- a/src/editfns.c
+++ b/src/editfns.c
@@ -2107,7 +2107,7 @@ static char set_time_zone_rule_tz2[] = "TZ=GMT+1";
 void
 set_time_zone_rule (const char *tzstring)
 {
-  int envptrs;
+  ptrdiff_t envptrs;
   char **from, **to, **newenv;
 
   /* Make the ENVIRON vector longer with room for TZSTRING.  */
@@ -3357,7 +3357,7 @@ usage: (save-restriction &rest BODY)  */)
 static char *message_text;
 
 /* Allocated length of that buffer.  */
-static int message_length;
+static ptrdiff_t message_length;
 
 DEFUN ("message", Fmessage, Smessage, 1, MANY, 0,
        doc: /* Display a message at the bottom of the screen.
@@ -3439,8 +3439,8 @@ usage: (message-box FORMAT-STRING &rest ARGS)  */)
         }
       if (SBYTES (val) > message_length)
         {
+          message_text = (char *) xrealloc (message_text, SBYTES (val));
           message_length = SBYTES (val);
-          message_text = (char *)xrealloc (message_text, message_length);
         }
       memcpy (message_text, SDATA (val), SBYTES (val));
       message2 (message_text, SBYTES (val),
@@ -3889,7 +3889,7 @@ usage: (format STRING &rest OBJECTS)  */)
                       : -1)),
 
                 /* Maximum number of bytes generated by any format, if
-                   precision is no more than DBL_USEFUL_PRECISION_MAX.
+                   precision is no more than USEFUL_PRECISION_MAX.
                    On all practical hosts, %f is the worst case.  */
                 SPRINTF_BUFSIZE =
                   sizeof "-." + (DBL_MAX_10_EXP + 1) + USEFUL_PRECISION_MAX,
@@ -4165,7 +4165,7 @@ usage: (format STRING &rest OBJECTS)  */)
          character.  CONVBYTES says how much room is needed.  Allocate
          enough room (and then some) and do it again.  */
       {
-        EMACS_INT used = p - buf;
+        ptrdiff_t used = p - buf;
 
         if (max_bufsize - used < convbytes)
           string_overflow ();
diff --git a/src/emacs.c b/src/emacs.c
index 868df894353..b89d3d82e82 100644
--- a/src/emacs.c
+++ b/src/emacs.c
@@ -1361,24 +1361,17 @@ Using an Emacs configured with --with-x-toolkit=lucid does not have this problem
     /* If we have the form --display=NAME,
        convert it into  -d name.
        This requires inserting a new element into argv.  */
-    if (displayname != 0 && skip_args - count_before == 1)
+    if (displayname && count_before < skip_args)
       {
-        char **new = (char **) xmalloc (sizeof (char *) * (argc + 2));
-        int j;
-
-        for (j = 0; j < count_before + 1; j++)
-          new[j] = argv[j];
-        new[count_before + 1] = (char *) "-d";
-        new[count_before + 2] = displayname;
-        for (j = count_before + 2; j <argc; j++)
-          new[j + 1] = argv[j];
-        argv = new;
-        argc++;
+        if (skip_args == count_before + 1)
+          {
+            memmove (argv + count_before + 3, argv + count_before + 2,
+                     (argc - (count_before + 2)) * sizeof *argv);
+            argv[count_before + 2] = displayname;
+            argc++;
+          }
+        argv[count_before + 1] = (char *) "-d";
       }
-    /* Change --display to -d, when its arg is separate.  */
-    else if (displayname != 0 && skip_args > count_before
-             && argv[count_before + 1][1] == '-')
-      argv[count_before + 1] = (char *) "-d";
 
     if (! no_site_lisp)
       {
@@ -1844,8 +1837,8 @@ sort_args (int argc, char **argv)
      0 for an option that takes no arguments,
      1 for an option that takes one argument, etc.
      -1 for an ordinary non-option argument.  */
-  int *options = (int *) xmalloc (sizeof (int) * argc);
-  int *priority = (int *) xmalloc (sizeof (int) * argc);
+  int *options = xnmalloc (argc, sizeof *options);
+  int *priority = xnmalloc (argc, sizeof *priority);
   int to = 1;
   int incoming_used = 1;
   int from;
diff --git a/src/eval.c b/src/eval.c
index 372e9954620..e722b53fb72 100644
--- a/src/eval.c
+++ b/src/eval.c
@@ -133,8 +133,9 @@ static Lisp_Object Ffetch_bytecode (Lisp_Object);
 void
 init_eval_once (void)
 {
-  specpdl_size = 50;
-  specpdl = (struct specbinding *) xmalloc (specpdl_size * sizeof (struct specbinding));
+  enum { size = 50 };
+  specpdl = (struct specbinding *) xmalloc (size * sizeof (struct specbinding));
+  specpdl_size = size;
   specpdl_ptr = specpdl;
   /* Don't forget to update docs (lispref node "Local Variables").  */
   max_specpdl_size = 1300; /* 1000 is not enough for CEDET's c-by.el.  */
@@ -192,7 +193,7 @@ call_debugger (Lisp_Object arg)
   if (lisp_eval_depth + 40 > max_lisp_eval_depth)
     max_lisp_eval_depth = lisp_eval_depth + 40;
 
-  if (SPECPDL_INDEX () + 100 > max_specpdl_size)
+  if (max_specpdl_size - 100 < SPECPDL_INDEX ())
     max_specpdl_size = SPECPDL_INDEX () + 100;
 
 #ifdef HAVE_WINDOW_SYSTEM
@@ -3254,17 +3255,21 @@ static void
 grow_specpdl (void)
 {
   register int count = SPECPDL_INDEX ();
-  if (specpdl_size >= max_specpdl_size)
+  int max_size =
+    min (max_specpdl_size,
+         min (max (PTRDIFF_MAX, SIZE_MAX) / sizeof (struct specbinding),
+              INT_MAX));
+  int size;
+  if (max_size <= specpdl_size)
     {
       if (max_specpdl_size < 400)
-        max_specpdl_size = 400;
-      if (specpdl_size >= max_specpdl_size)
+        max_size = max_specpdl_size = 400;
+      if (max_size <= specpdl_size)
         signal_error ("Variable binding depth exceeds max-specpdl-size", Qnil);
     }
-  specpdl_size *= 2;
-  if (specpdl_size > max_specpdl_size)
-    specpdl_size = max_specpdl_size;
-  specpdl = (struct specbinding *) xrealloc (specpdl, specpdl_size * sizeof (struct specbinding));
+  size = specpdl_size < max_size / 2 ? 2 * specpdl_size : max_size;
+  specpdl = xnrealloc (specpdl, size, sizeof *specpdl);
+  specpdl_size = size;
   specpdl_ptr = specpdl + count;
 }
 
diff --git a/src/fileio.c b/src/fileio.c
index 61713689351..60ee35bb399 100644
--- a/src/fileio.c
+++ b/src/fileio.c
@@ -2912,7 +2912,7 @@ symbolic notation, like the `chmod' command from GNU Coreutils.  */)
 
   encoded_absname = ENCODE_FILE (absname);
 
-  if (chmod (SSDATA (encoded_absname), XINT (mode)) < 0)
+  if (chmod (SSDATA (encoded_absname), XINT (mode) & 07777) < 0)
     report_file_error ("Doing chmod", Fcons (absname, Qnil));
 
   return Qnil;
@@ -5114,11 +5114,11 @@ auto_save_1 (void)
     {
       if (stat (SSDATA (BVAR (current_buffer, filename)), &st) >= 0)
         /* But make sure we can overwrite it later!  */
-        auto_save_mode_bits = st.st_mode | 0600;
+        auto_save_mode_bits = (st.st_mode | 0600) & 0777;
       else if ((modes = Ffile_modes (BVAR (current_buffer, filename)),
                 INTEGERP (modes)))
         /* Remote files don't cooperate with stat.  */
-        auto_save_mode_bits = XINT (modes) | 0600;
+        auto_save_mode_bits = (XINT (modes) | 0600) & 0777;
     }
 
   return
diff --git a/src/fns.c b/src/fns.c
index 9c9d19fe26a..a3af6b8c15a 100644
--- a/src/fns.c
+++ b/src/fns.c
@@ -602,7 +602,7 @@ concat (ptrdiff_t nargs, Lisp_Object *args,
 
   prev = Qnil;
   if (STRINGP (val))
-    SAFE_ALLOCA (textprops, struct textprop_rec *, sizeof (struct textprop_rec) * nargs);
+    SAFE_NALLOCA (textprops, 1, nargs);
 
   for (argnum = 0; argnum < nargs; argnum++)
     {
@@ -3395,11 +3395,13 @@ check_hash_table (Lisp_Object obj)
 
 
 /* Value is the next integer I >= N, N >= 0 which is "almost" a prime
-   number.  */
+   number.  A number is "almost" a prime number if it is not divisible
+   by any integer in the range 2 .. (NEXT_ALMOST_PRIME_LIMIT - 1).  */
 
 EMACS_INT
 next_almost_prime (EMACS_INT n)
 {
+  verify (NEXT_ALMOST_PRIME_LIMIT == 11);
   for (n |= 1; ; n += 2)
     if (n % 3 != 0 && n % 5 != 0 && n % 7 != 0)
       return n;
@@ -3787,11 +3789,11 @@ maybe_resize_hash_table (struct Lisp_Hash_Table *h)
    the hash code of KEY.  Value is the index of the entry in H
    matching KEY, or -1 if not found.  */
 
-EMACS_INT
+ptrdiff_t
 hash_lookup (struct Lisp_Hash_Table *h, Lisp_Object key, EMACS_UINT *hash)
 {
   EMACS_UINT hash_code;
-  EMACS_INT start_of_bucket;
+  ptrdiff_t start_of_bucket;
   Lisp_Object idx;
 
   hash_code = h->hashfn (h, key);
@@ -3821,11 +3823,11 @@ hash_lookup (struct Lisp_Hash_Table *h, Lisp_Object key, EMACS_UINT *hash)
    HASH is a previously computed hash code of KEY.
    Value is the index of the entry in H matching KEY.  */
 
-EMACS_INT
+ptrdiff_t
 hash_put (struct Lisp_Hash_Table *h, Lisp_Object key, Lisp_Object value,
           EMACS_UINT hash)
 {
-  EMACS_INT start_of_bucket, i;
+  ptrdiff_t start_of_bucket, i;
 
   xassert ((hash & ~INTMASK) == 0);
 
@@ -4482,7 +4484,7 @@ If KEY is not found, return DFLT which defaults to nil.  */)
   (Lisp_Object key, Lisp_Object table, Lisp_Object dflt)
 {
   struct Lisp_Hash_Table *h = check_hash_table (table);
-  EMACS_INT i = hash_lookup (h, key, NULL);
+  ptrdiff_t i = hash_lookup (h, key, NULL);
   return i >= 0 ? HASH_VALUE (h, i) : dflt;
 }
 
@@ -4494,7 +4496,7 @@ VALUE.  In any case, return VALUE.  */)
   (Lisp_Object key, Lisp_Object value, Lisp_Object table)
 {
   struct Lisp_Hash_Table *h = check_hash_table (table);
-  EMACS_INT i;
+  ptrdiff_t i;
   EMACS_UINT hash;
 
   i = hash_lookup (h, key, &hash);
diff --git a/src/frame.c b/src/frame.c
index 19ce78dfd9c..711109a70c6 100644
--- a/src/frame.c
+++ b/src/frame.c
@@ -160,7 +160,7 @@ set_menu_bar_lines (struct frame *f, Lisp_Object value, Lisp_Object oldval)
   if (FRAME_MINIBUF_ONLY_P (f))
     return;
 
-  if (INTEGERP (value))
+  if (TYPE_RANGED_INTEGERP (int, value))
     nlines = XINT (value);
   else
     nlines = 0;
@@ -2992,7 +2992,7 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist)
         f->size_hint_flags &= ~ (XNegative | YNegative);
         if (EQ (left, Qminus))
           f->size_hint_flags |= XNegative;
-        else if (INTEGERP (left))
+        else if (TYPE_RANGED_INTEGERP (int, left))
           {
             leftpos = XINT (left);
             if (leftpos < 0)
@@ -3000,21 +3000,21 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist)
           }
         else if (CONSP (left) && EQ (XCAR (left), Qminus)
                  && CONSP (XCDR (left))
-                 && INTEGERP (XCAR (XCDR (left))))
+                 && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (left)), INT_MAX))
           {
             leftpos = - XINT (XCAR (XCDR (left)));
             f->size_hint_flags |= XNegative;
           }
         else if (CONSP (left) && EQ (XCAR (left), Qplus)
                  && CONSP (XCDR (left))
-                 && INTEGERP (XCAR (XCDR (left))))
+                 && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (left))))
           {
             leftpos = XINT (XCAR (XCDR (left)));
           }
 
         if (EQ (top, Qminus))
           f->size_hint_flags |= YNegative;
-        else if (INTEGERP (top))
+        else if (TYPE_RANGED_INTEGERP (int, top))
           {
             toppos = XINT (top);
             if (toppos < 0)
@@ -3022,14 +3022,14 @@ x_set_frame_parameters (FRAME_PTR f, Lisp_Object alist)
           }
         else if (CONSP (top) && EQ (XCAR (top), Qminus)
                  && CONSP (XCDR (top))
-                 && INTEGERP (XCAR (XCDR (top))))
+                 && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (top)), INT_MAX))
           {
             toppos = - XINT (XCAR (XCDR (top)));
             f->size_hint_flags |= YNegative;
           }
         else if (CONSP (top) && EQ (XCAR (top), Qplus)
                  && CONSP (XCDR (top))
-                 && INTEGERP (XCAR (XCDR (top))))
+                 && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (top))))
           {
             toppos = XINT (XCAR (XCDR (top)));
           }
@@ -3481,7 +3481,7 @@ x_set_scroll_bar_width (struct frame *f, Lisp_Object arg, Lisp_Object oldval)
         x_set_window_size (f, 0, FRAME_COLS (f), FRAME_LINES (f));
       do_pending_window_change (0);
     }
-  else if (INTEGERP (arg) && XINT (arg) > 0
+  else if (RANGED_INTEGERP (1, arg, INT_MAX)
            && XFASTINT (arg) != FRAME_CONFIG_SCROLL_BAR_WIDTH (f))
     {
       if (XFASTINT (arg) <= 2 * VERTICAL_SCROLL_BAR_WIDTH_TRIM)
@@ -3520,7 +3520,7 @@ x_set_alpha (struct frame *f, Lisp_Object arg, Lisp_Object oldval)
 {
   double alpha = 1.0;
   double newval[2];
-  int i, ialpha;
+  int i;
   Lisp_Object item;
 
   for (i = 0; i < 2; i++)
@@ -3544,7 +3544,7 @@ x_set_alpha (struct frame *f, Lisp_Object arg, Lisp_Object oldval)
         }
       else if (INTEGERP (item))
         {
-          ialpha = XINT (item);
+          EMACS_INT ialpha = XINT (item);
           if (ialpha < 0 || 100 < ialpha)
             args_out_of_range (make_number (0), make_number (100));
           else
@@ -4031,11 +4031,15 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p)
       if (!EQ (tem0, Qunbound))
         {
           CHECK_NUMBER (tem0);
+          if (! (0 <= XINT (tem0) && XINT (tem0) <= INT_MAX))
+            xsignal1 (Qargs_out_of_range, tem0);
           FRAME_LINES (f) = XINT (tem0);
         }
       if (!EQ (tem1, Qunbound))
         {
           CHECK_NUMBER (tem1);
+          if (! (0 <= XINT (tem1) && XINT (tem1) <= INT_MAX))
+            xsignal1 (Qargs_out_of_range, tem1);
           SET_FRAME_COLS (f, XINT (tem1));
         }
       if (!NILP (tem2) && !EQ (tem2, Qunbound))
@@ -4066,12 +4070,10 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p)
                 ? tool_bar_button_relief
                 : DEFAULT_TOOL_BAR_BUTTON_RELIEF);
 
-      if (INTEGERP (Vtool_bar_button_margin)
-          && XINT (Vtool_bar_button_margin) > 0)
+      if (RANGED_INTEGERP (1, Vtool_bar_button_margin, INT_MAX))
         margin = XFASTINT (Vtool_bar_button_margin);
       else if (CONSP (Vtool_bar_button_margin)
-               && INTEGERP (XCDR (Vtool_bar_button_margin))
-               && XINT (XCDR (Vtool_bar_button_margin)) > 0)
+               && RANGED_INTEGERP (1, XCDR (Vtool_bar_button_margin), INT_MAX))
         margin = XFASTINT (XCDR (Vtool_bar_button_margin));
       else
         margin = 0;
@@ -4097,14 +4099,14 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p)
         }
       else if (CONSP (tem0) && EQ (XCAR (tem0), Qminus)
                && CONSP (XCDR (tem0))
-               && INTEGERP (XCAR (XCDR (tem0))))
+               && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (tem0)), INT_MAX))
         {
           f->top_pos = - XINT (XCAR (XCDR (tem0)));
           window_prompting |= YNegative;
         }
       else if (CONSP (tem0) && EQ (XCAR (tem0), Qplus)
                && CONSP (XCDR (tem0))
-               && INTEGERP (XCAR (XCDR (tem0))))
+               && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (tem0))))
         {
           f->top_pos = XINT (XCAR (XCDR (tem0)));
         }
@@ -4125,14 +4127,14 @@ x_figure_window_size (struct frame *f, Lisp_Object parms, int toolbar_p)
         }
       else if (CONSP (tem1) && EQ (XCAR (tem1), Qminus)
                && CONSP (XCDR (tem1))
-               && INTEGERP (XCAR (XCDR (tem1))))
+               && RANGED_INTEGERP (-INT_MAX, XCAR (XCDR (tem1)), INT_MAX))
         {
           f->left_pos = - XINT (XCAR (XCDR (tem1)));
           window_prompting |= XNegative;
         }
       else if (CONSP (tem1) && EQ (XCAR (tem1), Qplus)
                && CONSP (XCDR (tem1))
-               && INTEGERP (XCAR (XCDR (tem1))))
+               && TYPE_RANGED_INTEGERP (int, XCAR (XCDR (tem1))))
         {
           f->left_pos = XINT (XCAR (XCDR (tem1)));
         }
diff --git a/src/frame.h b/src/frame.h
index 8dccfb8540a..3775403810f 100644
--- a/src/frame.h
+++ b/src/frame.h
@@ -258,11 +258,11 @@ struct frame
 
   /* Size of this frame, excluding fringes, scroll bars etc.,
      in units of canonical characters.  */
-  EMACS_INT text_lines, text_cols;
+  int text_lines, text_cols;
 
   /* Total size of this frame (i.e. its native window), in units of
      canonical characters.  */
-  EMACS_INT total_lines, total_cols;
+  int total_lines, total_cols;
 
   /* New text height and width for pending size change.
      0 if no change pending.  */
diff --git a/src/fringe.c b/src/fringe.c
index a4dc9433aff..5878c541247 100644
--- a/src/fringe.c
+++ b/src/fringe.c
@@ -1610,22 +1610,25 @@ If BITMAP already exists, the existing definition is replaced.  */)
 
           if (n == max_fringe_bitmaps)
             {
-              if ((max_fringe_bitmaps + 20) > MAX_FRINGE_BITMAPS)
+              int bitmaps = max_fringe_bitmaps + 20;
+              if (MAX_FRINGE_BITMAPS < bitmaps)
                 error ("No free fringe bitmap slots");
 
               i = max_fringe_bitmaps;
-              max_fringe_bitmaps += 20;
               fringe_bitmaps
                 = ((struct fringe_bitmap **)
-                   xrealloc (fringe_bitmaps, max_fringe_bitmaps * sizeof (struct fringe_bitmap *)));
+                   xrealloc (fringe_bitmaps, bitmaps * sizeof *fringe_bitmaps));
               fringe_faces
-                = (Lisp_Object *) xrealloc (fringe_faces, max_fringe_bitmaps * sizeof (Lisp_Object));
+                = (Lisp_Object *) xrealloc (fringe_faces,
+                                            bitmaps * sizeof *fringe_faces);
 
-              for (; i < max_fringe_bitmaps; i++)
+              for (i = max_fringe_bitmaps; i < bitmaps; i++)
                 {
                   fringe_bitmaps[i] = NULL;
                   fringe_faces[i] = Qnil;
                 }
+
+              max_fringe_bitmaps = bitmaps;
             }
         }
 
diff --git a/src/ftfont.c b/src/ftfont.c
index 5c98073057c..7858a31be21 100644
--- a/src/ftfont.c
+++ b/src/ftfont.c
@@ -686,7 +686,10 @@ ftfont_get_open_type_spec (Lisp_Object otf_spec)
       if (NILP (val))
         continue;
       len = Flength (val);
-      spec->features[i] = malloc (sizeof (int) * XINT (len));
+      spec->features[i] =
+        (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) < XINT (len)
+         ? 0
+         : malloc (sizeof (int) * XINT (len)));
       if (! spec->features[i])
         {
           if (i > 0 && spec->features[0])
@@ -1765,15 +1768,10 @@ static OTF_GlyphString otf_gstring;
 static void
 setup_otf_gstring (int size)
 {
-  if (otf_gstring.size == 0)
+  if (otf_gstring.size < size)
     {
-      otf_gstring.glyphs = (OTF_Glyph *) xmalloc (sizeof (OTF_Glyph) * size);
-      otf_gstring.size = size;
-    }
-  else if (otf_gstring.size < size)
-    {
-      otf_gstring.glyphs = xrealloc (otf_gstring.glyphs,
-                                     sizeof (OTF_Glyph) * size);
+      otf_gstring.glyphs = xnrealloc (otf_gstring.glyphs,
+                                      size, sizeof (OTF_Glyph));
       otf_gstring.size = size;
     }
   otf_gstring.used = size;
@@ -2449,17 +2447,19 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
         }
     }
 
+  if (INT_MAX / 2 < len)
+    memory_full (SIZE_MAX);
+
   if (gstring.allocated == 0)
     {
-      gstring.allocated = len * 2;
       gstring.glyph_size = sizeof (MFLTGlyph);
-      gstring.glyphs = xmalloc (sizeof (MFLTGlyph) * gstring.allocated);
+      gstring.glyphs = xnmalloc (len * 2, sizeof (MFLTGlyph));
+      gstring.allocated = len * 2;
     }
   else if (gstring.allocated < len * 2)
     {
+      gstring.glyphs = xnrealloc (gstring.glyphs, len * 2, sizeof (MFLTGlyph));
       gstring.allocated = len * 2;
-      gstring.glyphs = xrealloc (gstring.glyphs,
-                                 sizeof (MFLTGlyph) * gstring.allocated);
     }
   memset (gstring.glyphs, 0, sizeof (MFLTGlyph) * len);
   for (i = 0; i < len; i++)
@@ -2508,9 +2508,11 @@ ftfont_shape_by_flt (Lisp_Object lgstring, struct font *font,
       int result = mflt_run (&gstring, 0, len, &flt_font_ft.flt_font, flt);
       if (result != -2)
         break;
-      gstring.allocated += gstring.allocated;
-      gstring.glyphs = xrealloc (gstring.glyphs,
-                                 sizeof (MFLTGlyph) * gstring.allocated);
+      if (INT_MAX / 2 < gstring.allocated)
+        memory_full (SIZE_MAX);
+      gstring.glyphs = xnrealloc (gstring.glyphs,
+                                  gstring.allocated, 2 * sizeof (MFLTGlyph));
+      gstring.allocated *= 2;
     }
   if (gstring.used > LGSTRING_GLYPH_LEN (lgstring))
     return Qnil;
diff --git a/src/gtkutil.c b/src/gtkutil.c
index dd4d99b9d33..c39119c8151 100644
--- a/src/gtkutil.c
+++ b/src/gtkutil.c
@@ -487,7 +487,8 @@ get_utf8_string (const char *str)
   if (!utf8_str)
     {
       /* Probably some control characters in str.  Escape them. */
-      size_t nr_bad = 0;
+      ptrdiff_t len;
+      ptrdiff_t nr_bad = 0;
       gsize bytes_read;
       gsize bytes_written;
       unsigned char *p = (unsigned char *)str;
@@ -511,7 +512,10 @@ get_utf8_string (const char *str)
         }
       if (cp) g_free (cp);
 
-      up = utf8_str = xmalloc (strlen (str) + nr_bad * 4 + 1);
+      len = strlen (str);
+      if ((min (PTRDIFF_MAX, SIZE_MAX) - len - 1) / 4 < nr_bad)
+        memory_full (SIZE_MAX);
+      up = utf8_str = xmalloc (len + nr_bad * 4 + 1);
       p = (unsigned char *)str;
 
       while (! (cp = g_locale_to_utf8 ((char *)p, -1, &bytes_read,
@@ -3296,8 +3300,8 @@ static int scroll_bar_width_for_theme;
 static struct
 {
   GtkWidget **widgets;
-  int max_size;
-  int used;
+  ptrdiff_t max_size;
+  ptrdiff_t used;
 } id_to_widget;
 
 /* Grow this much every time we need to allocate more  */
@@ -3306,17 +3310,20 @@ static struct
 
 /* Store the widget pointer W in id_to_widget and return the integer index.  */
 
-static int
+static ptrdiff_t
 xg_store_widget_in_map (GtkWidget *w)
 {
-  int i;
+  ptrdiff_t i;
 
   if (id_to_widget.max_size == id_to_widget.used)
     {
-      int new_size = id_to_widget.max_size + ID_TO_WIDGET_INCR;
+      ptrdiff_t new_size;
+      if (TYPE_MAXIMUM (Window) - ID_TO_WIDGET_INCR < id_to_widget.max_size)
+        memory_full (SIZE_MAX);
 
-      id_to_widget.widgets = xrealloc (id_to_widget.widgets,
-                                       sizeof (GtkWidget *)*new_size);
+      new_size = id_to_widget.max_size + ID_TO_WIDGET_INCR;
+      id_to_widget.widgets = xnrealloc (id_to_widget.widgets,
+                                        new_size, sizeof (GtkWidget *));
 
       for (i = id_to_widget.max_size; i < new_size; ++i)
         id_to_widget.widgets[i] = 0;
@@ -3345,7 +3352,7 @@ xg_store_widget_in_map (GtkWidget *w)
    Called when scroll bar is destroyed.  */
 
 static void
-xg_remove_widget_from_map (int idx)
+xg_remove_widget_from_map (ptrdiff_t idx)
 {
   if (idx < id_to_widget.max_size && id_to_widget.widgets[idx] != 0)
     {
@@ -3357,7 +3364,7 @@ xg_remove_widget_from_map (int idx)
 /* Get the widget pointer at IDX from id_to_widget. */
 
 static GtkWidget *
-xg_get_widget_from_map (int idx)
+xg_get_widget_from_map (ptrdiff_t idx)
 {
   if (idx < id_to_widget.max_size && id_to_widget.widgets[idx] != 0)
     return id_to_widget.widgets[idx];
@@ -3396,10 +3403,10 @@ xg_get_default_scrollbar_width (void)
 /* Return the scrollbar id for X Window WID on display DPY.
    Return -1 if WID not in id_to_widget.  */
 
-int
+ptrdiff_t
 xg_get_scroll_id_for_window (Display *dpy, Window wid)
 {
-  int idx;
+  ptrdiff_t idx;
   GtkWidget *w;
 
   w = xg_win_to_widget (dpy, wid);
@@ -3421,7 +3428,7 @@ xg_get_scroll_id_for_window (Display *dpy, Window wid)
 static void
 xg_gtk_scroll_destroy (GtkWidget *widget, gpointer data)
 {
-  int id = (intptr_t) data;
+  intptr_t id = (intptr_t) data;
   xg_remove_widget_from_map (id);
 }
 
@@ -3496,7 +3503,7 @@ xg_create_scroll_bar (FRAME_PTR f,
 /* Remove the scroll bar represented by SCROLLBAR_ID from the frame F.  */
 
 void
-xg_remove_scroll_bar (FRAME_PTR f, int scrollbar_id)
+xg_remove_scroll_bar (FRAME_PTR f, ptrdiff_t scrollbar_id)
 {
   GtkWidget *w = xg_get_widget_from_map (scrollbar_id);
   if (w)
@@ -3515,7 +3522,7 @@ xg_remove_scroll_bar (FRAME_PTR f, int scrollbar_id)
 
 void
 xg_update_scrollbar_pos (FRAME_PTR f,
-                         int scrollbar_id,
+                         ptrdiff_t scrollbar_id,
                          int top,
                          int left,
                          int width,
@@ -4429,7 +4436,7 @@ update_frame_tool_bar (FRAME_PTR f)
       int enabled_p = !NILP (PROP (TOOL_BAR_ITEM_ENABLED_P));
       int selected_p = !NILP (PROP (TOOL_BAR_ITEM_SELECTED_P));
       int idx;
-      int img_id;
+      ptrdiff_t img_id;
       int icon_size = 0;
       struct image *img = NULL;
       Lisp_Object image;
diff --git a/src/gtkutil.h b/src/gtkutil.h
index 769e56da917..2dfb3a5ed6c 100644
--- a/src/gtkutil.h
+++ b/src/gtkutil.h
@@ -114,17 +114,17 @@ extern int xg_event_is_for_menubar (FRAME_PTR f, XEvent *event);
 
 extern int xg_have_tear_offs (void);
 
-extern int xg_get_scroll_id_for_window (Display *dpy, Window wid);
+extern ptrdiff_t xg_get_scroll_id_for_window (Display *dpy, Window wid);
 
 extern void xg_create_scroll_bar (FRAME_PTR f,
                                   struct scroll_bar *bar,
                                   GCallback scroll_callback,
                                   GCallback end_callback,
                                   const char *scroll_bar_name);
-extern void xg_remove_scroll_bar (FRAME_PTR f, int scrollbar_id);
+extern void xg_remove_scroll_bar (FRAME_PTR f, ptrdiff_t scrollbar_id);
 
 extern void xg_update_scrollbar_pos (FRAME_PTR f,
-                                     int scrollbar_id,
+                                     ptrdiff_t scrollbar_id,
                                      int top,
                                      int left,
                                      int width,
@@ -185,4 +185,3 @@ extern int xg_ignore_gtk_scrollbar;
 
 #endif /* USE_GTK */
 #endif /* GTKUTIL_H */
-
diff --git a/src/image.c b/src/image.c
index 65be22b087a..d0d28bea582 100644
--- a/src/image.c
+++ b/src/image.c
@@ -196,7 +196,7 @@ x_bitmap_width (FRAME_PTR f, ptrdiff_t id)
 int
 x_bitmap_pixmap (FRAME_PTR f, ptrdiff_t id)
 {
-  return (int) FRAME_X_DISPLAY_INFO (f)->bitmaps[id - 1].pixmap;
+  return FRAME_X_DISPLAY_INFO (f)->bitmaps[id - 1].pixmap;
 }
 #endif
 
@@ -216,15 +216,6 @@ x_allocate_bitmap_record (FRAME_PTR f)
   Display_Info *dpyinfo = FRAME_X_DISPLAY_INFO (f);
   ptrdiff_t i;
 
-  if (dpyinfo->bitmaps == NULL)
-    {
-      dpyinfo->bitmaps_size = 10;
-      dpyinfo->bitmaps
-        = (Bitmap_Record *) xmalloc (dpyinfo->bitmaps_size * sizeof (Bitmap_Record));
-      dpyinfo->bitmaps_last = 1;
-      return 1;
-    }
-
   if (dpyinfo->bitmaps_last < dpyinfo->bitmaps_size)
     return ++dpyinfo->bitmaps_last;
 
@@ -232,20 +223,16 @@ x_allocate_bitmap_record (FRAME_PTR f)
     if (dpyinfo->bitmaps[i].refcount == 0)
       return i + 1;
 
-  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof (Bitmap_Record) / 2
-      < dpyinfo->bitmaps_size)
-    memory_full (SIZE_MAX);
-  dpyinfo->bitmaps_size *= 2;
-  dpyinfo->bitmaps
-    = (Bitmap_Record *) xrealloc (dpyinfo->bitmaps,
-                                  dpyinfo->bitmaps_size * sizeof (Bitmap_Record));
+  dpyinfo->bitmaps =
+    xpalloc (dpyinfo->bitmaps, &dpyinfo->bitmaps_size,
+             10, -1, sizeof *dpyinfo->bitmaps);
   return ++dpyinfo->bitmaps_last;
 }
 
 /* Add one reference to the reference count of the bitmap with id ID.  */
 
 void
-x_reference_bitmap (FRAME_PTR f, int id)
+x_reference_bitmap (FRAME_PTR f, ptrdiff_t id)
 {
   ++FRAME_X_DISPLAY_INFO (f)->bitmaps[id - 1].refcount;
 }
@@ -807,29 +794,30 @@ parse_image_spec (Lisp_Object spec, struct image_keyword *keywords,
           break;
 
         case IMAGE_POSITIVE_INTEGER_VALUE:
-          if (!INTEGERP (value) || XINT (value) <= 0)
+          if (! RANGED_INTEGERP (1, value, INT_MAX))
             return 0;
           break;
 
         case IMAGE_POSITIVE_INTEGER_VALUE_OR_PAIR:
-          if (INTEGERP (value) && XINT (value) >= 0)
+          if (RANGED_INTEGERP (1, value, INT_MAX))
             break;
           if (CONSP (value)
-              && INTEGERP (XCAR (value)) && INTEGERP (XCDR (value))
-              && XINT (XCAR (value)) >= 0 && XINT (XCDR (value)) >= 0)
+              && RANGED_INTEGERP (1, XCAR (value), INT_MAX)
+              && RANGED_INTEGERP (1, XCDR (value), INT_MAX))
             break;
           return 0;
 
         case IMAGE_ASCENT_VALUE:
           if (SYMBOLP (value) && EQ (value, Qcenter))
             break;
-          else if (INTEGERP (value)
-                   && XINT (value) >= 0
-                   && XINT (value) <= 100)
+          else if (RANGED_INTEGERP (0, value, 100))
             break;
           return 0;
 
         case IMAGE_NON_NEGATIVE_INTEGER_VALUE:
+          /* Unlike the other integer-related cases, this one does not
+             verify that VALUE fits in 'int'.  This is because callers
+             want EMACS_INT.  */
           if (!INTEGERP (value) || XINT (value) < 0)
             return 0;
           break;
@@ -849,7 +837,7 @@ parse_image_spec (Lisp_Object spec, struct image_keyword *keywords,
           break;
 
         case IMAGE_INTEGER_VALUE:
-          if (!INTEGERP (value))
+          if (! TYPE_RANGED_INTEGERP (int, value))
             return 0;
           break;
 
@@ -919,7 +907,7 @@ or omitted means use the selected frame.  */)
   if (valid_image_p (spec))
     {
       struct frame *f = check_x_frame (frame);
-      int id = lookup_image (f, spec);
+      ptrdiff_t id = lookup_image (f, spec);
       struct image *img = IMAGE_FROM_ID (f, id);
       int width = img->width + 2 * img->hmargin;
       int height = img->height + 2 * img->vmargin;
@@ -949,7 +937,7 @@ or omitted means use the selected frame.  */)
   if (valid_image_p (spec))
     {
       struct frame *f = check_x_frame (frame);
-      int id = lookup_image (f, spec);
+      ptrdiff_t id = lookup_image (f, spec);
       struct image *img = IMAGE_FROM_ID (f, id);
       if (img->mask)
         mask = Qt;
@@ -972,7 +960,7 @@ or omitted means use the selected frame.  */)
   if (valid_image_p (spec))
     {
       struct frame *f = check_x_frame (frame);
-      int id = lookup_image (f, spec);
+      ptrdiff_t id = lookup_image (f, spec);
       struct image *img = IMAGE_FROM_ID (f, id);
       ext = img->lisp_data;
     }
@@ -1125,7 +1113,7 @@ image_ascent (struct image *img, struct face *face, struct glyph_slice *slice)
         ascent = height / 2;
     }
   else
-    ascent = (int) (height * img->ascent / 100.0);
+    ascent = height * (img->ascent / 100.0);
 
   return ascent;
 }
@@ -1371,11 +1359,12 @@ x_alloc_image_color (struct frame *f, struct image *img, Lisp_Object color_name,
     {
       /* This isn't called frequently so we get away with simply
          reallocating the color vector to the needed size, here.  */
-      ++img->ncolors;
+      ptrdiff_t ncolors = img->ncolors + 1;
       img->colors =
         (unsigned long *) xrealloc (img->colors,
-                                    img->ncolors * sizeof *img->colors);
-      img->colors[img->ncolors - 1] = color.pixel;
+                                    ncolors * sizeof *img->colors);
+      img->colors[ncolors - 1] = color.pixel;
+      img->ncolors = ncolors;
       result = color.pixel;
     }
   else
@@ -1403,8 +1392,9 @@ make_image_cache (void)
   int size;
 
   memset (c, 0, sizeof *c);
-  c->size = 50;
-  c->images = (struct image **) xmalloc (c->size * sizeof *c->images);
+  size = 50;
+  c->images = (struct image **) xmalloc (size * sizeof *c->images);
+  c->size = size;
   size = IMAGE_CACHE_BUCKETS_SIZE * sizeof *c->buckets;
   c->buckets = (struct image **) xmalloc (size);
   memset (c->buckets, 0, size);
@@ -1470,7 +1460,7 @@ free_image_cache (struct frame *f)
   struct image_cache *c = FRAME_IMAGE_CACHE (f);
   if (c)
     {
-      int i;
+      ptrdiff_t i;
 
       /* Cache should not be referenced by any frame when freed.  */
       xassert (c->refcount == 0);
@@ -1500,7 +1490,7 @@ clear_image_cache (struct frame *f, Lisp_Object filter)
 
   if (c)
     {
-      int i, nfreed = 0;
+      ptrdiff_t i, nfreed = 0;
 
       /* Block input so that we won't be interrupted by a SIGIO
          while being in an inconsistent state.  */
@@ -1524,8 +1514,8 @@ clear_image_cache (struct frame *f, Lisp_Object filter)
         {
           /* Free cache based on timestamp.  */
           EMACS_TIME t;
-          time_t old;
-          int delay, nimages = 0;
+          double old, delay;
+          ptrdiff_t nimages = 0;
 
           for (i = 0; i < c->used; ++i)
             if (c->images[i])
@@ -1533,9 +1523,10 @@ clear_image_cache (struct frame *f, Lisp_Object filter)
 
           /* If the number of cached images has grown unusually large,
              decrease the cache eviction delay (Bug#6230).  */
-          delay = XFASTINT (Vimage_cache_eviction_delay);
+          delay = XINT (Vimage_cache_eviction_delay);
           if (nimages > 40)
-            delay = max (1, 1600 * delay / (nimages*nimages));
+            delay = 1600 * delay / nimages / nimages;
+          delay = max (delay, 1);
 
           EMACS_GET_TIME (t);
           old = EMACS_SECS (t) - delay;
@@ -1711,7 +1702,7 @@ postprocess_image (struct frame *f, struct image *img)
 /* Return the id of image with Lisp specification SPEC on frame F.
    SPEC must be a valid Lisp image specification (see valid_image_p).  */
 
-int
+ptrdiff_t
 lookup_image (struct frame *f, Lisp_Object spec)
 {
   struct image *img;
@@ -1770,15 +1761,12 @@ lookup_image (struct frame *f, Lisp_Object spec)
             img->ascent = CENTERED_IMAGE_ASCENT;
 
           margin = image_spec_value (spec, QCmargin, NULL);
-          if (INTEGERP (margin) && XINT (margin) >= 0)
+          if (INTEGERP (margin))
             img->vmargin = img->hmargin = XFASTINT (margin);
-          else if (CONSP (margin) && INTEGERP (XCAR (margin))
-                   && INTEGERP (XCDR (margin)))
+          else if (CONSP (margin))
             {
-              if (XINT (XCAR (margin)) > 0)
-                img->hmargin = XFASTINT (XCAR (margin));
-              if (XINT (XCDR (margin)) > 0)
-                img->vmargin = XFASTINT (XCDR (margin));
+              img->hmargin = XFASTINT (XCAR (margin));
+              img->vmargin = XFASTINT (XCDR (margin));
             }
 
           relief = image_spec_value (spec, QCrelief, NULL);
@@ -1825,7 +1813,7 @@ static void
 cache_image (struct frame *f, struct image *img)
 {
   struct image_cache *c = FRAME_IMAGE_CACHE (f);
-  int i;
+  ptrdiff_t i;
 
   /* Find a free slot in c->images.  */
   for (i = 0; i < c->used; ++i)
@@ -1834,13 +1822,7 @@ cache_image (struct frame *f, struct image *img)
 
   /* If no free slot found, maybe enlarge c->images.  */
   if (i == c->used && c->used == c->size)
-    {
-      if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *c->images / 2 < c->size)
-        memory_full (SIZE_MAX);
-      c->size *= 2;
-      c->images = (struct image **) xrealloc (c->images,
-                                              c->size * sizeof *c->images);
-    }
+    c->images = xpalloc (c->images, &c->size, 1, -1, sizeof *c->images);
 
   /* Add IMG to c->images, and assign IMG an id.  */
   c->images[i] = img;
@@ -1879,7 +1861,7 @@ mark_image_cache (struct image_cache *c)
 {
   if (c)
     {
-      int i;
+      ptrdiff_t i;
       for (i = 0; i < c->used; ++i)
         if (c->images[i])
           mark_image (c->images[i]);
@@ -2076,7 +2058,7 @@ x_create_x_image_and_pixmap (struct frame *f, int width, int height, int depth,
       DWORD err = GetLastError ();
       Lisp_Object errcode;
       /* All system errors are < 10000, so the following is safe.  */
-      XSETINT (errcode, (int) err);
+      XSETINT (errcode, err);
       image_error ("Unable to create bitmap, error code %d", errcode, Qnil);
       x_destroy_x_image (*ximg);
       return 0;
@@ -2355,7 +2337,7 @@ xbm_image_p (Lisp_Object object)
   else
     {
       Lisp_Object data;
-      EMACS_INT width, height;
+      int width, height;
 
       /* Entries for `:width', `:height' and `:data' must be present.  */
       if (!kw[XBM_WIDTH].count
@@ -3587,9 +3569,8 @@ xpm_load (struct frame *f, struct image *img)
 #endif /* HAVE_NTGUI */
 
       /* Remember allocated colors.  */
+      img->colors = xnmalloc (attrs.nalloc_pixels, sizeof *img->colors);
       img->ncolors = attrs.nalloc_pixels;
-      img->colors = (unsigned long *) xmalloc (img->ncolors
-                                               * sizeof *img->colors);
       for (i = 0; i < attrs.nalloc_pixels; ++i)
         {
           img->colors[i] = attrs.alloc_pixels[i];
@@ -3813,8 +3794,8 @@ xpm_get_color_table_h (Lisp_Object color_table,
                        int chars_len)
 {
   struct Lisp_Hash_Table *table = XHASH_TABLE (color_table);
-  int i = hash_lookup (table, make_unibyte_string (chars_start, chars_len),
-                       NULL);
+  ptrdiff_t i =
+    hash_lookup (table, make_unibyte_string (chars_start, chars_len), NULL);
 
   return i >= 0 ? HASH_VALUE (table, i) : Qnil;
 }
@@ -4163,6 +4144,12 @@ static struct ct_color **ct_table;
 /* Number of entries in the color table.  */
 
 static int ct_colors_allocated;
+enum
+{
+  ct_colors_allocated_max =
+    min (INT_MAX,
+         min (PTRDIFF_MAX, SIZE_MAX) / sizeof (unsigned long))
+};
 
 /* Initialize the color table.  */
 
@@ -4249,7 +4236,14 @@ lookup_rgb_color (struct frame *f, int r, int g, int b)
       XColor color;
       Colormap cmap;
       int rc;
+#else
+      COLORREF color;
+#endif
 
+      if (ct_colors_allocated_max <= ct_colors_allocated)
+        return FRAME_FOREGROUND_PIXEL (f);
+
+#ifdef HAVE_X_WINDOWS
       color.red = r;
       color.green = g;
       color.blue = b;
@@ -4271,7 +4265,6 @@ lookup_rgb_color (struct frame *f, int r, int g, int b)
         return FRAME_FOREGROUND_PIXEL (f);
 
 #else
-      COLORREF color;
 #ifdef HAVE_NTGUI
       color = PALETTERGB (r, g, b);
 #else
@@ -4312,6 +4305,9 @@ lookup_pixel_color (struct frame *f, unsigned long pixel)
       Colormap cmap;
       int rc;
 
+      if (ct_colors_allocated_max <= ct_colors_allocated)
+        return FRAME_FOREGROUND_PIXEL (f);
+
 #ifdef HAVE_X_WINDOWS
       cmap = FRAME_X_COLORMAP (f);
       color.pixel = pixel;
@@ -4450,7 +4446,9 @@ x_to_xcolors (struct frame *f, struct image *img, int rgb_p)
   HGDIOBJ prev;
 #endif /* HAVE_NTGUI */
 
-  colors = (XColor *) xmalloc (img->width * img->height * sizeof *colors);
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *colors / img->width < img->height)
+    memory_full (SIZE_MAX);
+  colors = (XColor *) xmalloc (sizeof *colors * img->width * img->height);
 
 #ifndef HAVE_NTGUI
   /* Get the X image IMG->pixmap.  */
@@ -4602,7 +4600,9 @@ x_detect_edges (struct frame *f, struct image *img, int *matrix, int color_adjus
 
 #define COLOR(A, X, Y) ((A) + (Y) * img->width + (X))
 
-  new = (XColor *) xmalloc (img->width * img->height * sizeof *new);
+  if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *new / img->width < img->height)
+    memory_full (SIZE_MAX);
+  new = (XColor *) xmalloc (sizeof *new * img->width * img->height);
 
   for (y = 0; y < img->height; ++y)
     {
@@ -5880,7 +5880,7 @@ png_load (struct frame *f, struct image *img)
 
       for (x = 0; x < width; ++x)
         {
-          unsigned r, g, b;
+          int r, g, b;
 
           r = *p++ << 8;
           g = *p++ << 8;
@@ -6745,17 +6745,29 @@ tiff_size_of_memory (thandle_t data)
 }
 
 
+static void tiff_handler (const char *, const char *, const char *, va_list)
+  ATTRIBUTE_FORMAT_PRINTF (3, 0);
+static void
+tiff_handler (const char *log_format, const char *title,
+              const char *format, va_list ap)
+{
+  /* doprnt is not suitable here, as TIFF handlers are called from
+     libtiff and are passed arbitrary printf directives.  Instead, use
+     vsnprintf, taking care to be portable to nonstandard environments
+     where vsnprintf returns -1 on buffer overflow.  Since it's just a
+     log entry, it's OK to truncate it.  */
+  char buf[4000];
+  int len = vsnprintf (buf, sizeof buf, format, ap);
+  add_to_log (log_format, build_string (title),
+              make_string (buf, max (0, min (len, sizeof buf - 1))));
+}
+
 static void tiff_error_handler (const char *, const char *, va_list)
   ATTRIBUTE_FORMAT_PRINTF (2, 0);
 static void
 tiff_error_handler (const char *title, const char *format, va_list ap)
 {
-  char buf[512];
-  int len;
-
-  len = sprintf (buf, "TIFF error: %s ", title);
-  vsprintf (buf + len, format, ap);
-  add_to_log (buf, Qnil, Qnil);
+  tiff_handler ("TIFF error: %s %s", title, format, ap);
 }
 
 
@@ -6764,12 +6776,7 @@ static void tiff_warning_handler (const char *, const char *, va_list)
 static void
 tiff_warning_handler (const char *title, const char *format, va_list ap)
 {
-  char buf[512];
-  int len;
-
-  len = sprintf (buf, "TIFF warning: %s ", title);
-  vsprintf (buf + len, format, ap);
-  add_to_log (buf, Qnil, Qnil);
+  tiff_handler ("TIFF warning: %s %s", title, format, ap);
 }
 
 
@@ -6845,8 +6852,9 @@ tiff_load (struct frame *f, struct image *img)
   image = image_spec_value (img->spec, QCindex, NULL);
   if (INTEGERP (image))
     {
-      int ino = XFASTINT (image);
-      if (!fn_TIFFSetDirectory (tiff, ino))
+      EMACS_INT ino = XFASTINT (image);
+      if (! (TYPE_MINIMUM (tdir_t) <= ino && ino <= TYPE_MAXIMUM (tdir_t)
+             && fn_TIFFSetDirectory (tiff, ino)))
         {
           image_error ("Invalid image number `%s' in image `%s'",
                        image, img->spec);
@@ -7144,7 +7152,7 @@ gif_load (struct frame *f, struct image *img)
   Lisp_Object specified_file = image_spec_value (img->spec, QCfile, NULL);
   Lisp_Object specified_data = image_spec_value (img->spec, QCdata, NULL);
   unsigned long bgcolor = 0;
-  int idx;
+  EMACS_INT idx;
 
   if (NILP (specified_data))
     {
@@ -7379,7 +7387,7 @@ gif_load (struct frame *f, struct image *img)
   img->lisp_data = Qnil;
   if (gif->SavedImages[idx].ExtensionBlockCount > 0)
     {
-      unsigned int delay = 0;
+      int delay = 0;
       ExtensionBlock *ext = gif->SavedImages[idx].ExtensionBlocks;
       for (i = 0; i < gif->SavedImages[idx].ExtensionBlockCount; i++, ext++)
         /* Append (... FUNCTION "BYTES") */
@@ -7400,7 +7408,7 @@ gif_load (struct frame *f, struct image *img)
       if (delay)
         img->lisp_data
           = Fcons (Qdelay,
-                   Fcons (make_float (((double) delay) * 0.01),
+                   Fcons (make_float (delay / 100.0),
                           img->lisp_data));
     }
 
@@ -7576,10 +7584,10 @@ imagemagick_load_image (struct frame *f, struct image *img,
   Lisp_Object image;
   Lisp_Object value;
   Lisp_Object crop;
-  long ino;
+  EMACS_INT ino;
   int desired_width, desired_height;
   double rotation;
-  int imagemagick_rendermethod;
+  EMACS_INT imagemagick_rendermethod;
   int pixelwidth;
   ImageInfo  *image_info;
   ExceptionInfo *exception;
@@ -7606,7 +7614,7 @@ imagemagick_load_image (struct frame *f, struct image *img,
       status = MagickPingImageBlob (ping_wand, contents, size);
     }
 
-  if (ino >= MagickGetNumberImages (ping_wand))
+  if (! (0 <= ino && ino < MagickGetNumberImages (ping_wand)))
     {
       image_error ("Invalid image number `%s' in image `%s'",
                    image, img->spec);
@@ -7681,28 +7689,28 @@ imagemagick_load_image (struct frame *f, struct image *img,
      efficient.  */
   crop = image_spec_value (img->spec, QCcrop, NULL);
 
-  if (CONSP (crop) && INTEGERP (XCAR (crop)))
+  if (CONSP (crop) && TYPE_RANGED_INTEGERP (size_t, XCAR (crop)))
     {
       /* After some testing, it seems MagickCropImage is the fastest crop
          function in ImageMagick.  This crop function seems to do less copying
          than the alternatives, but it still reads the entire image into memory
-         before croping, which is aparently difficult to avoid when using
+         before cropping, which is apparently difficult to avoid when using
          imagemagick.  */
-      int w, h;
-      w = XFASTINT (XCAR (crop));
+      size_t crop_width = XINT (XCAR (crop));
       crop = XCDR (crop);
-      if (CONSP (crop) && INTEGERP (XCAR (crop)))
+      if (CONSP (crop) && TYPE_RANGED_INTEGERP (size_t, XCAR (crop)))
         {
-          h = XFASTINT (XCAR (crop));
+          size_t crop_height = XINT (XCAR (crop));
           crop = XCDR (crop);
-          if (CONSP (crop) && INTEGERP (XCAR (crop)))
+          if (CONSP (crop) && TYPE_RANGED_INTEGERP (ssize_t, XCAR (crop)))
             {
-              x = XFASTINT (XCAR (crop));
+              ssize_t crop_x = XINT (XCAR (crop));
               crop = XCDR (crop);
-              if (CONSP (crop) && INTEGERP (XCAR (crop)))
+              if (CONSP (crop) && TYPE_RANGED_INTEGERP (ssize_t, XCAR (crop)))
                 {
-                  y = XFASTINT (XCAR (crop));
-                  MagickCropImage (image_wand, w, h, x, y);
+                  ssize_t crop_y = XINT (XCAR (crop));
+                  MagickCropImage (image_wand, crop_width, crop_height,
+                                   crop_x, crop_y);
                 }
             }
         }
@@ -7748,9 +7756,11 @@ imagemagick_load_image (struct frame *f, struct image *img,
 
   init_color_table ();
   imagemagick_rendermethod = (INTEGERP (Vimagemagick_render_type)
-                              ? XFASTINT (Vimagemagick_render_type) : 0);
+                              ? XINT (Vimagemagick_render_type) : 0);
   if (imagemagick_rendermethod == 0)
     {
+      size_t image_height;
+
       /* Try to create a x pixmap to hold the imagemagick pixmap.  */
       if (!x_create_x_image_and_pixmap (f, width, height, 0,
                                         &ximg, &img->pixmap))
@@ -7779,7 +7789,8 @@ imagemagick_load_image (struct frame *f, struct image *img,
           goto imagemagick_error;
         }
 
-      for (y = 0; y < (long) MagickGetImageHeight (image_wand); y++)
+      image_height = MagickGetImageHeight (image_wand);
+      for (y = 0; y < image_height; y++)
         {
           pixels = PixelGetNextIteratorRow (iterator, &width);
           if (pixels == (PixelWand **) NULL)
@@ -8285,10 +8296,10 @@ svg_load_image (struct frame *f,         /* Pointer to emacs frame structure.  *
     {
       for (x = 0; x < width; ++x)
         {
-          unsigned red;
-          unsigned green;
-          unsigned blue;
-          unsigned opacity;
+          int red;
+          int green;
+          int blue;
+          int opacity;
 
           red     = *pixels++;
           green   = *pixels++;
@@ -8469,7 +8480,8 @@ gs_image_p (Lisp_Object object)
 static int
 gs_load (struct frame *f, struct image *img)
 {
-  char buffer[100];
+  uprintmax_t printnum1, printnum2;
+  char buffer[sizeof " " + INT_STRLEN_BOUND (printmax_t)];
   Lisp_Object window_and_pixmap_id = Qnil, loader, pt_height, pt_width;
   Lisp_Object frame;
   double in_width, in_height;
@@ -8481,16 +8493,19 @@ gs_load (struct frame *f, struct image *img)
      info.  */
   pt_width = image_spec_value (img->spec, QCpt_width, NULL);
   in_width = INTEGERP (pt_width) ? XFASTINT (pt_width) / 72.0 : 0;
-  img->width = in_width * FRAME_X_DISPLAY_INFO (f)->resx;
+  in_width *= FRAME_X_DISPLAY_INFO (f)->resx;
   pt_height = image_spec_value (img->spec, QCpt_height, NULL);
   in_height = INTEGERP (pt_height) ? XFASTINT (pt_height) / 72.0 : 0;
-  img->height = in_height * FRAME_X_DISPLAY_INFO (f)->resy;
+  in_height *= FRAME_X_DISPLAY_INFO (f)->resy;
 
-  if (!check_image_size (f, img->width, img->height))
+  if (! (in_width <= INT_MAX && in_height <= INT_MAX
+         && check_image_size (f, in_width, in_height)))
     {
       image_error ("Invalid image size (see `max-image-size')", Qnil, Qnil);
       return 0;
     }
+  img->width = in_width;
+  img->height = in_height;
 
   /* Create the pixmap.  */
   xassert (img->pixmap == NO_PIXMAP);
@@ -8515,14 +8530,14 @@ gs_load (struct frame *f, struct image *img)
      if successful.  We do not record_unwind_protect here because
      other places in redisplay like calling window scroll functions
      don't either.  Let the Lisp loader use `unwind-protect' instead.  */
-  sprintf (buffer, "%lu %lu",
-           (unsigned long) FRAME_X_WINDOW (f),
-           (unsigned long) img->pixmap);
+  printnum1 = FRAME_X_WINDOW (f);
+  printnum2 = img->pixmap;
+  sprintf (buffer, "%"pMu" %"pMu, printnum1, printnum2);
   window_and_pixmap_id = build_string (buffer);
 
-  sprintf (buffer, "%lu %lu",
-           FRAME_FOREGROUND_PIXEL (f),
-           FRAME_BACKGROUND_PIXEL (f));
+  printnum1 = FRAME_FOREGROUND_PIXEL (f);
+  printnum2 = FRAME_BACKGROUND_PIXEL (f);
+  sprintf (buffer, "%"pMu" %"pMu, printnum1, printnum2);
   pixel_colors = build_string (buffer);
 
   XSETFRAME (frame, f);
@@ -8547,7 +8562,8 @@ void
 x_kill_gs_process (Pixmap pixmap, struct frame *f)
 {
   struct image_cache *c = FRAME_IMAGE_CACHE (f);
-  int class, i;
+  int class;
+  ptrdiff_t i;
   struct image *img;
 
   /* Find the image containing PIXMAP.  */
@@ -8651,7 +8667,7 @@ DEFUN ("imagep", Fimagep, Simagep, 1, 1, 0,
 DEFUN ("lookup-image", Flookup_image, Slookup_image, 1, 1, 0, "")
   (Lisp_Object spec)
 {
-  int id = -1;
+  ptrdiff_t id = -1;
 
   if (valid_image_p (spec))
     id = lookup_image (SELECTED_FRAME (), spec);
diff --git a/src/indent.c b/src/indent.c
index 70689311dd5..313315e9081 100644
--- a/src/indent.c
+++ b/src/indent.c
@@ -284,7 +284,7 @@ skip_invisible (EMACS_INT pos, EMACS_INT *next_boundary_p, EMACS_INT to, Lisp_Ob
     else                                                                \
       {                                                                 \
         if (dp != 0 && VECTORP (DISP_CHAR_VECTOR (dp, ch)))             \
-          width = ASIZE (DISP_CHAR_VECTOR (dp, ch));                    \
+          width = sanitize_char_width (ASIZE (DISP_CHAR_VECTOR (dp, ch))); \
         else                                                            \
           width = CHAR_WIDTH (ch);                                      \
       }                                                                 \
@@ -318,15 +318,6 @@ invalidate_current_column (void)
   last_known_column_point = 0;
 }
 
-/* Return a non-outlandish value for the tab width.  */
-
-static int
-sane_tab_width (void)
-{
-  EMACS_INT n = XFASTINT (BVAR (current_buffer, tab_width));
-  return 0 < n && n <= 1000 ? n : 8;
-}
-
 EMACS_INT
 current_column (void)
 {
@@ -335,7 +326,7 @@ current_column (void)
   register int tab_seen;
   EMACS_INT post_tab;
   register int c;
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
   int ctl_arrow = !NILP (BVAR (current_buffer, ctl_arrow));
   register struct Lisp_Char_Table *dp = buffer_display_table ();
 
@@ -515,7 +506,7 @@ check_display_width (EMACS_INT pos, EMACS_INT col, EMACS_INT *endpos)
 static void
 scan_for_column (EMACS_INT *endpos, EMACS_INT *goalcol, EMACS_INT *prevcol)
 {
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
   register int ctl_arrow = !NILP (BVAR (current_buffer, ctl_arrow));
   register struct Lisp_Char_Table *dp = buffer_display_table ();
   int multibyte = !NILP (BVAR (current_buffer, enable_multibyte_characters));
@@ -732,7 +723,7 @@ string_display_width (Lisp_Object string, Lisp_Object beg, Lisp_Object end)
   register int tab_seen;
   int post_tab;
   register int c;
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
   int ctl_arrow = !NILP (current_buffer->ctl_arrow);
   register struct Lisp_Char_Table *dp = buffer_display_table ();
   int b, e;
@@ -808,7 +799,7 @@ The return value is COLUMN.  */)
 {
   EMACS_INT mincol;
   register EMACS_INT fromcol;
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
 
   CHECK_NUMBER (column);
   if (NILP (minimum))
@@ -867,7 +858,7 @@ static EMACS_INT
 position_indentation (register int pos_byte)
 {
   register EMACS_INT column = 0;
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
   register unsigned char *p;
   register unsigned char *stop;
   unsigned char *start;
@@ -1116,7 +1107,7 @@ compute_motion (EMACS_INT from, EMACS_INT fromvpos, EMACS_INT fromhpos, int did_
   register EMACS_INT pos;
   EMACS_INT pos_byte;
   register int c = 0;
-  int tab_width = sane_tab_width ();
+  int tab_width = SANE_TAB_WIDTH (current_buffer);
   register int ctl_arrow = !NILP (BVAR (current_buffer, ctl_arrow));
   register struct Lisp_Char_Table *dp = window_display_table (win);
   EMACS_INT selective
@@ -1432,7 +1423,7 @@ compute_motion (EMACS_INT from, EMACS_INT fromvpos, EMACS_INT fromhpos, int did_
          the text character-by-character.  */
       if (current_buffer->width_run_cache && pos >= next_width_run)
         {
-          EMACS_INT run_end;
+          ptrdiff_t run_end;
           int common_width
             = region_cache_forward (current_buffer,
                                     current_buffer->width_run_cache,
diff --git a/src/keyboard.c b/src/keyboard.c
index 95f64847a4f..054cd3e9a20 100644
--- a/src/keyboard.c
+++ b/src/keyboard.c
@@ -438,16 +438,16 @@ static void (*keyboard_init_hook) (void);
 static int read_avail_input (int);
 static void get_input_pending (int *, int);
 static int readable_events (int);
-static Lisp_Object read_char_x_menu_prompt (int, Lisp_Object *,
+static Lisp_Object read_char_x_menu_prompt (ptrdiff_t, Lisp_Object *,
                                             Lisp_Object, int *);
-static Lisp_Object read_char_minibuf_menu_prompt (int, int,
+static Lisp_Object read_char_minibuf_menu_prompt (int, ptrdiff_t,
                                                   Lisp_Object *);
 static Lisp_Object make_lispy_event (struct input_event *);
 #if defined (HAVE_MOUSE) || defined (HAVE_GPM)
 static Lisp_Object make_lispy_movement (struct frame *, Lisp_Object,
                                         enum scroll_bar_part,
                                         Lisp_Object, Lisp_Object,
-                                        unsigned long);
+                                        Time);
 #endif
 static Lisp_Object modify_event_symbol (EMACS_INT, unsigned, Lisp_Object,
                                         Lisp_Object, const char *const *,
@@ -1303,7 +1303,7 @@ some_mouse_moved (void)
 /* This is the actual command reading loop,
    sans error-handling encapsulation.  */
 
-static int read_key_sequence (Lisp_Object *, size_t, Lisp_Object,
+static int read_key_sequence (Lisp_Object *, int, Lisp_Object,
                               int, int, int);
 void safe_run_hooks (Lisp_Object);
 static void adjust_point_for_property (EMACS_INT, int);
@@ -2270,7 +2270,8 @@ do { if (polling_stopped_here) start_polling ();	\
    Value is t if we showed a menu and the user rejected it.  */
 
 Lisp_Object
-read_char (int commandflag, int nmaps, Lisp_Object *maps, Lisp_Object prev_event,
+read_char (int commandflag, ptrdiff_t nmaps, Lisp_Object *maps,
+           Lisp_Object prev_event,
            int *used_mouse_menu, struct timeval *end_time)
 {
   volatile Lisp_Object c;
@@ -7421,7 +7422,7 @@ menu_bar_items (Lisp_Object old)
 {
   /* The number of keymaps we're scanning right now, and the number of
      keymaps we have allocated space for.  */
-  int nmaps;
+  ptrdiff_t nmaps;
 
   /* maps[0..nmaps-1] are the prefix definitions of KEYBUF[0..t-1]
      in the current keymaps, or nil where it is not a prefix.  */
@@ -7429,7 +7430,7 @@ menu_bar_items (Lisp_Object old)
 
   Lisp_Object def, tail;
 
-  int mapno;
+  ptrdiff_t mapno;
   Lisp_Object oquit;
 
   /* In order to build the menus, we need to call the keymap
@@ -7474,7 +7475,7 @@ menu_bar_items (Lisp_Object old)
            recognized when the menu-bar (or mode-line) is updated,
            which does not normally happen after every command.  */
         Lisp_Object tem;
-        int nminor;
+        ptrdiff_t nminor;
         nminor = current_minor_maps (NULL, &tmaps);
         maps = (Lisp_Object *) alloca ((nminor + 3) * sizeof (maps[0]));
         nmaps = 0;
@@ -7978,7 +7979,7 @@ Lisp_Object
 tool_bar_items (Lisp_Object reuse, int *nitems)
 {
   Lisp_Object *maps;
-  int nmaps, i;
+  ptrdiff_t nmaps, i;
   Lisp_Object oquit;
   Lisp_Object *tmaps;
 
@@ -8018,7 +8019,7 @@ tool_bar_items (Lisp_Object reuse, int *nitems)
          recognized when the tool-bar (or mode-line) is updated,
          which does not normally happen after every command.  */
       Lisp_Object tem;
-      int nminor;
+      ptrdiff_t nminor;
       nminor = current_minor_maps (NULL, &tmaps);
       maps = (Lisp_Object *) alloca ((nminor + 3) * sizeof (maps[0]));
       nmaps = 0;
@@ -8290,10 +8291,11 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item)
       Lisp_Object tcapt = PROP (TOOL_BAR_ITEM_CAPTION);
       const char *label = SYMBOLP (tkey) ? SSDATA (SYMBOL_NAME (tkey)) : "";
       const char *capt = STRINGP (tcapt) ? SSDATA (tcapt) : "";
-      EMACS_INT max_lbl = 2 * tool_bar_max_label_size;
+      ptrdiff_t max_lbl =
+        2 * max (0, min (tool_bar_max_label_size, STRING_BYTES_BOUND / 2));
       char *buf = (char *) xmalloc (max_lbl + 1);
       Lisp_Object new_lbl;
-      size_t caption_len = strlen (capt);
+      ptrdiff_t caption_len = strlen (capt);
 
       if (caption_len <= max_lbl && capt[0] != '\0')
         {
@@ -8306,7 +8308,7 @@ parse_tool_bar_item (Lisp_Object key, Lisp_Object item)
 
       if (strlen (label) <= max_lbl && label[0] != '\0')
         {
-          int j;
+          ptrdiff_t j;
           if (label != buf)
             strcpy (buf, label);
 
@@ -8415,10 +8417,10 @@ append_tool_bar_item (void)
    and do auto-saving in the inner call of read_char. */
 
 static Lisp_Object
-read_char_x_menu_prompt (int nmaps, Lisp_Object *maps, Lisp_Object prev_event,
-                         int *used_mouse_menu)
+read_char_x_menu_prompt (ptrdiff_t nmaps, Lisp_Object *maps,
+                         Lisp_Object prev_event, int *used_mouse_menu)
 {
-  int mapno;
+  ptrdiff_t mapno;
 
   if (used_mouse_menu)
     *used_mouse_menu = 0;
@@ -8446,7 +8448,7 @@ read_char_x_menu_prompt (int nmaps, Lisp_Object *maps, Lisp_Object prev_event,
       Lisp_Object *realmaps
         = (Lisp_Object *) alloca (nmaps * sizeof (Lisp_Object));
       Lisp_Object value;
-      int nmaps1 = 0;
+      ptrdiff_t nmaps1 = 0;
 
       /* Use the maps that are not nil.  */
       for (mapno = 0; mapno < nmaps; mapno++)
@@ -8497,17 +8499,18 @@ read_char_x_menu_prompt (int nmaps, Lisp_Object *maps, Lisp_Object prev_event,
    We make this bigger when necessary, and never free it.  */
 static char *read_char_minibuf_menu_text;
 /* Size of that buffer.  */
-static int read_char_minibuf_menu_width;
+static ptrdiff_t read_char_minibuf_menu_width;
 
 static Lisp_Object
-read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
+read_char_minibuf_menu_prompt (int commandflag,
+                               ptrdiff_t nmaps, Lisp_Object *maps)
 {
-  int mapno;
+  ptrdiff_t mapno;
   register Lisp_Object name;
-  int nlength;
+  ptrdiff_t nlength;
   /* FIXME: Use the minibuffer's frame width.  */
-  int width = FRAME_COLS (SELECTED_FRAME ()) - 4;
-  int idx = -1;
+  ptrdiff_t width = FRAME_COLS (SELECTED_FRAME ()) - 4;
+  ptrdiff_t idx = -1;
   int nobindings = 1;
   Lisp_Object rest, vector;
   char *menu;
@@ -8532,16 +8535,13 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
 
   /* Make sure we have a big enough buffer for the menu text.  */
   width = max (width, SBYTES (name));
-  if (read_char_minibuf_menu_text == 0)
+  if (STRING_BYTES_BOUND - 4 < width)
+    memory_full (SIZE_MAX);
+  if (width + 4 > read_char_minibuf_menu_width)
     {
-      read_char_minibuf_menu_width = width + 4;
-      read_char_minibuf_menu_text = (char *) xmalloc (width + 4);
-    }
-  else if (width + 4 > read_char_minibuf_menu_width)
-    {
-      read_char_minibuf_menu_width = width + 4;
       read_char_minibuf_menu_text
         = (char *) xrealloc (read_char_minibuf_menu_text, width + 4);
+      read_char_minibuf_menu_width = width + 4;
     }
   menu = read_char_minibuf_menu_text;
 
@@ -8560,7 +8560,7 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
   while (1)
     {
       int notfirst = 0;
-      int i = nlength;
+      ptrdiff_t i = nlength;
       Lisp_Object obj;
       Lisp_Object orig_defn_macro;
 
@@ -8659,7 +8659,7 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
                       < width
                       || !notfirst)
                     {
-                      int thiswidth;
+                      ptrdiff_t thiswidth;
 
                       /* Punctuate between strings.  */
                       if (notfirst)
@@ -8675,9 +8675,7 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
                       if (! char_matches)
                         {
                           /* Add as much of string as fits.  */
-                          thiswidth = SCHARS (desc);
-                          if (thiswidth + i > width)
-                            thiswidth = width - i;
+                          thiswidth = min (SCHARS (desc), width - i);
                           memcpy (menu + i, SDATA (desc), thiswidth);
                           i += thiswidth;
                           strcpy (menu + i, " = ");
@@ -8685,9 +8683,7 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
                         }
 
                       /* Add as much of string as fits.  */
-                      thiswidth = SCHARS (s);
-                      if (thiswidth + i > width)
-                        thiswidth = width - i;
+                      thiswidth = min (SCHARS (s), width - i);
                       memcpy (menu + i, SDATA (s), thiswidth);
                       i += thiswidth;
                       menu[i] = 0;
@@ -8762,10 +8758,10 @@ read_char_minibuf_menu_prompt (int commandflag, int nmaps, Lisp_Object *maps)
    NEXT may be the same array as CURRENT.  */
 
 static int
-follow_key (Lisp_Object key, int nmaps, Lisp_Object *current, Lisp_Object *defs,
-            Lisp_Object *next)
+follow_key (Lisp_Object key, ptrdiff_t nmaps, Lisp_Object *current,
+            Lisp_Object *defs, Lisp_Object *next)
 {
-  int i, first_binding;
+  ptrdiff_t i, first_binding;
 
   first_binding = nmaps;
   for (i = nmaps - 1; i >= 0; i--)
@@ -8865,7 +8861,7 @@ access_keymap_keyremap (Lisp_Object map, Lisp_Object key, Lisp_Object prompt,
    The return value is non-zero if the remapping actually took place.  */
 
 static int
-keyremap_step (Lisp_Object *keybuf, size_t bufsize, volatile keyremap *fkey,
+keyremap_step (Lisp_Object *keybuf, int bufsize, volatile keyremap *fkey,
                int input, int doit, int *diff, Lisp_Object prompt)
 {
   Lisp_Object next, key;
@@ -8887,7 +8883,7 @@ keyremap_step (Lisp_Object *keybuf, size_t bufsize, volatile keyremap *fkey,
 
       *diff = len - (fkey->end - fkey->start);
 
-      if (input + *diff >= bufsize)
+      if (bufsize - input <= *diff)
         error ("Key sequence too long");
 
       /* Shift the keys that follow fkey->end.  */
@@ -8958,7 +8954,7 @@ keyremap_step (Lisp_Object *keybuf, size_t bufsize, volatile keyremap *fkey,
    from the selected window's buffer.  */
 
 static int
-read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
+read_key_sequence (Lisp_Object *keybuf, int bufsize, Lisp_Object prompt,
                    int dont_downcase_last, int can_return_switch_frame,
                    int fix_current_buffer)
 {
@@ -8975,8 +8971,8 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
 
   /* The number of keymaps we're scanning right now, and the number of
      keymaps we have allocated space for.  */
-  int nmaps;
-  int nmaps_allocated = 0;
+  ptrdiff_t nmaps;
+  ptrdiff_t nmaps_allocated = 0;
 
   /* defs[0..nmaps-1] are the definitions of KEYBUF[0..t-1] in
      the current keymaps.  */
@@ -9000,7 +8996,7 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
   /* The index in submaps[] of the first keymap that has a binding for
      this key sequence.  In other words, the lowest i such that
      submaps[i] is non-nil.  */
-  int first_binding;
+  ptrdiff_t first_binding;
   /* Index of the first key that has no binding.
      It is useless to try fkey.start larger than that.  */
   int first_unbound;
@@ -9161,8 +9157,8 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
     }
   else
     {
-      int nminor;
-      int total;
+      ptrdiff_t nminor;
+      ptrdiff_t total;
       Lisp_Object *maps;
 
       nminor = current_minor_maps (0, &maps);
@@ -9228,7 +9224,8 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
          echo_local_start and keys_local_start allow us to throw away
          just one key.  */
       int echo_local_start IF_LINT (= 0);
-      int keys_local_start, local_first_binding;
+      int keys_local_start;
+      ptrdiff_t local_first_binding;
 
       eassert (indec.end == t || (indec.end > t && indec.end <= mock_input));
       eassert (indec.start <= indec.end);
@@ -9565,7 +9562,7 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
                   && (NILP (fake_prefixed_keys)
                       || NILP (Fmemq (key, fake_prefixed_keys))))
                 {
-                  if (t + 1 >= bufsize)
+                  if (bufsize - t <= 1)
                     error ("Key sequence too long");
 
                   keybuf[t]     = posn;
@@ -9646,7 +9643,7 @@ read_key_sequence (Lisp_Object *keybuf, size_t bufsize, Lisp_Object prompt,
                  insert the dummy prefix event `menu-bar'.  */
               if (EQ (posn, Qmenu_bar) || EQ (posn, Qtool_bar))
                 {
-                  if (t + 1 >= bufsize)
+                  if (bufsize - t <= 1)
                     error ("Key sequence too long");
                   keybuf[t] = posn;
                   keybuf[t+1] = key;
diff --git a/src/keyboard.h b/src/keyboard.h
index 69c804c873d..d4339d0529b 100644
--- a/src/keyboard.h
+++ b/src/keyboard.h
@@ -440,7 +440,7 @@ struct input_event;
 
 extern Lisp_Object parse_modifiers (Lisp_Object);
 extern Lisp_Object reorder_modifiers (Lisp_Object);
-extern Lisp_Object read_char (int, int, Lisp_Object *, Lisp_Object,
+extern Lisp_Object read_char (int, ptrdiff_t, Lisp_Object *, Lisp_Object,
                               int *, EMACS_TIME *);
 extern int parse_solitary_modifier (Lisp_Object symbol);
 
diff --git a/src/keymap.c b/src/keymap.c
index 3b0edbf4fb3..32b531daac4 100644
--- a/src/keymap.c
+++ b/src/keymap.c
@@ -1399,7 +1399,7 @@ silly_event_symbol_error (Lisp_Object c)
    some systems, static gets macro-defined to be the empty string.
    Ickypoo.  */
 static Lisp_Object *cmm_modes = NULL, *cmm_maps = NULL;
-static int cmm_size = 0;
+static ptrdiff_t cmm_size = 0;
 
 /* Store a pointer to an array of the currently active minor modes in
    *modeptr, a pointer to an array of the keymaps of the currently
@@ -1419,10 +1419,10 @@ static int cmm_size = 0;
    loop.  Instead, we'll use realloc/malloc and silently truncate the
    list, let the key sequence be read, and hope some other piece of
    code signals the error.  */
-int
+ptrdiff_t
 current_minor_maps (Lisp_Object **modeptr, Lisp_Object **mapptr)
 {
-  int i = 0;
+  ptrdiff_t i = 0;
   int list_number = 0;
   Lisp_Object alist, assoc, var, val;
   Lisp_Object emulation_alists;
@@ -1465,9 +1465,16 @@ current_minor_maps (Lisp_Object **modeptr, Lisp_Object **mapptr)
 
             if (i >= cmm_size)
               {
-                int newsize, allocsize;
+                ptrdiff_t newsize, allocsize;
                 Lisp_Object *newmodes, *newmaps;
 
+                /* Check for size calculation overflow.  Other code
+                   (e.g., read_key_sequence) adds 3 to the count
+                   later, so subtract 3 from the limit here.  */
+                if (min (PTRDIFF_MAX, SIZE_MAX) / (2 * sizeof *newmodes) - 3
+                    < cmm_size)
+                  break;
+
                 newsize = cmm_size == 0 ? 30 : cmm_size * 2;
                 allocsize = newsize * sizeof *newmodes;
 
diff --git a/src/keymap.h b/src/keymap.h
index 2c826b64e1f..ec9d4cadbb1 100644
--- a/src/keymap.h
+++ b/src/keymap.h
@@ -38,7 +38,7 @@ extern Lisp_Object get_keymap (Lisp_Object, int, int);
 EXFUN (Fset_keymap_parent, 2);
 extern int describe_map_tree (Lisp_Object, int, Lisp_Object, Lisp_Object,
                               const char *, int, int, int, int);
-extern int current_minor_maps (Lisp_Object **, Lisp_Object **);
+extern ptrdiff_t current_minor_maps (Lisp_Object **, Lisp_Object **);
 extern void initial_define_key (Lisp_Object, int, const char *);
 extern void initial_define_lispy_key (Lisp_Object, const char *, const char *);
 extern void syms_of_keymap (void);
diff --git a/src/lisp.h b/src/lisp.h
index 14bd429a45e..5ca31132668 100644
--- a/src/lisp.h
+++ b/src/lisp.h
@@ -1708,6 +1708,11 @@ typedef struct {
 #define NUMBERP(x) (INTEGERP (x) || FLOATP (x))
 #define NATNUMP(x) (INTEGERP (x) && XINT (x) >= 0)
 
+#define RANGED_INTEGERP(lo, x, hi) \
+  (INTEGERP (x) && (lo) <= XINT (x) && XINT (x) <= (hi))
+#define TYPE_RANGED_INTEGERP(type, x) \
+  RANGED_INTEGERP (TYPE_MINIMUM (type), x, TYPE_MAXIMUM (type))
+
 #define INTEGERP(x) (LISP_INT_TAG_P (XTYPE ((x))))
 #define SYMBOLP(x) (XTYPE ((x)) == Lisp_Symbol)
 #define MISCP(x) (XTYPE ((x)) == Lisp_Misc)
@@ -2555,6 +2560,7 @@ extern void syms_of_syntax (void);
 
 /* Defined in fns.c */
 extern Lisp_Object QCrehash_size, QCrehash_threshold;
+enum { NEXT_ALMOST_PRIME_LIMIT = 11 };
 extern EMACS_INT next_almost_prime (EMACS_INT);
 extern Lisp_Object larger_vector (Lisp_Object, EMACS_INT, Lisp_Object);
 extern void sweep_weak_hash_tables (void);
@@ -2566,8 +2572,8 @@ EMACS_UINT sxhash (Lisp_Object, int);
 Lisp_Object make_hash_table (Lisp_Object, Lisp_Object, Lisp_Object,
                              Lisp_Object, Lisp_Object, Lisp_Object,
                              Lisp_Object);
-EMACS_INT hash_lookup (struct Lisp_Hash_Table *, Lisp_Object, EMACS_UINT *);
-EMACS_INT hash_put (struct Lisp_Hash_Table *, Lisp_Object, Lisp_Object,
+ptrdiff_t hash_lookup (struct Lisp_Hash_Table *, Lisp_Object, EMACS_UINT *);
+ptrdiff_t hash_put (struct Lisp_Hash_Table *, Lisp_Object, Lisp_Object,
                     EMACS_UINT);
 void init_weak_hash_tables (void);
 extern void init_fns (void);
@@ -3573,6 +3579,9 @@ extern int immediate_quit;	    /* Nonzero means ^G can quit instantly */
 extern POINTER_TYPE *xmalloc (size_t);
 extern POINTER_TYPE *xrealloc (POINTER_TYPE *, size_t);
 extern void xfree (POINTER_TYPE *);
+extern void *xnmalloc (ptrdiff_t, ptrdiff_t);
+extern void *xnrealloc (void *, ptrdiff_t, ptrdiff_t);
+extern void *xpalloc (void *, ptrdiff_t *, ptrdiff_t, ptrdiff_t, ptrdiff_t);
 
 extern char *xstrdup (const char *);
 
@@ -3690,6 +3699,23 @@ extern Lisp_Object safe_alloca_unwind (Lisp_Object);
       }                                                   \
   } while (0)
 
+/* SAFE_NALLOCA sets BUF to a newly allocated array of MULTIPLIER *
+   NITEMS items, each of the same type as *BUF.  MULTIPLIER must
+   positive.  The code is tuned for MULTIPLIER being a constant.  */
+
+#define SAFE_NALLOCA(buf, multiplier, nitems)                   \
+  do {                                                          \
+    if ((nitems) <= MAX_ALLOCA / sizeof *(buf) / (multiplier))  \
+      (buf) = alloca (sizeof *(buf) * (multiplier) * (nitems)); \
+    else                                                        \
+      {                                                          \
+        (buf) = xnmalloc (nitems, sizeof *(buf) * (multiplier)); \
+        sa_must_free = 1;                                        \
+        record_unwind_protect (safe_alloca_unwind,               \
+                               make_save_value (buf, 0));        \
+      }                                                          \
+  } while (0)
+
 /* SAFE_FREE frees xmalloced memory and enables GC as needed.  */
 
 #define SAFE_FREE()                     \
diff --git a/src/lread.c b/src/lread.c
index 6d1a7b102d7..d24da729df6 100644
--- a/src/lread.c
+++ b/src/lread.c
@@ -2637,14 +2637,14 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
 
               if (saved_doc_string_size == 0)
                 {
+                  saved_doc_string = (char *) xmalloc (nskip + extra);
                   saved_doc_string_size = nskip + extra;
-                  saved_doc_string = (char *) xmalloc (saved_doc_string_size);
                 }
               if (nskip > saved_doc_string_size)
                 {
-                  saved_doc_string_size = nskip + extra;
                   saved_doc_string = (char *) xrealloc (saved_doc_string,
-                                                        saved_doc_string_size);
+                                                        nskip + extra);
+                  saved_doc_string_size = nskip + extra;
                 }
 
               saved_doc_string_position = file_tell (instream);
@@ -2907,7 +2907,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
                 if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
                   memory_full (SIZE_MAX);
                 read_buffer = (char *) xrealloc (read_buffer,
-                                                 read_buffer_size *= 2);
+                                                 read_buffer_size * 2);
+                read_buffer_size *= 2;
                 p = read_buffer + offset;
                 end = read_buffer + read_buffer_size;
               }
@@ -3050,7 +3051,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
                   if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
                     memory_full (SIZE_MAX);
                   read_buffer = (char *) xrealloc (read_buffer,
-                                                   read_buffer_size *= 2);
+                                                   read_buffer_size * 2);
+                  read_buffer_size *= 2;
                   p = read_buffer + offset;
                   end = read_buffer + read_buffer_size;
                 }
@@ -3080,7 +3082,8 @@ read1 (register Lisp_Object readcharfun, int *pch, int first_in_list)
               if (min (PTRDIFF_MAX, SIZE_MAX) / 2 < read_buffer_size)
                 memory_full (SIZE_MAX);
               read_buffer = (char *) xrealloc (read_buffer,
-                                               read_buffer_size *= 2);
+                                               read_buffer_size * 2);
+              read_buffer_size *= 2;
               p = read_buffer + offset;
               end = read_buffer + read_buffer_size;
             }
@@ -3962,6 +3965,7 @@ void
 init_obarray (void)
 {
   Lisp_Object oblength;
+  ptrdiff_t size = 100 + MAX_MULTIBYTE_LENGTH;
 
   XSETFASTINT (oblength, OBARRAY_SIZE);
 
@@ -3994,8 +3998,8 @@ init_obarray (void)
 
   DEFSYM (Qvariable_documentation, "variable-documentation");
 
-  read_buffer_size = 100 + MAX_MULTIBYTE_LENGTH;
-  read_buffer = (char *) xmalloc (read_buffer_size);
+  read_buffer = (char *) xmalloc (size);
+  read_buffer_size = size;
 }
 
 void
diff --git a/src/macros.c b/src/macros.c
index 60f30c3fbbe..f6cd3a3ccad 100644
--- a/src/macros.c
+++ b/src/macros.c
@@ -62,9 +62,9 @@ macro before appending to it. */)
 
   if (!current_kboard->kbd_macro_buffer)
     {
-      current_kboard->kbd_macro_bufsize = 30;
       current_kboard->kbd_macro_buffer
         = (Lisp_Object *)xmalloc (30 * sizeof (Lisp_Object));
+      current_kboard->kbd_macro_bufsize = 30;
     }
   update_mode_lines++;
   if (NILP (append))
@@ -202,7 +202,7 @@ store_kbd_macro_char (Lisp_Object c)
           if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *kb->kbd_macro_buffer / 2
               < kb->kbd_macro_bufsize)
             memory_full (SIZE_MAX);
-          nbytes = kb->kbd_macro_bufsize * 2 * sizeof *kb->kbd_macro_buffer;
+          nbytes = kb->kbd_macro_bufsize * (2 * sizeof *kb->kbd_macro_buffer);
           kb->kbd_macro_buffer
             = (Lisp_Object *) xrealloc (kb->kbd_macro_buffer, nbytes);
           kb->kbd_macro_bufsize *= 2;
diff --git a/src/makefile.w32-in b/src/makefile.w32-in
index 792b66b0e4f..53cb5f857ab 100644
--- a/src/makefile.w32-in
+++ b/src/makefile.w32-in
@@ -469,6 +469,7 @@ $(BLD)/alloc.$(O) : \
         $(SRC)/syssignal.h \
         $(SRC)/w32.h \
         $(NT_INC)/unistd.h \
+        $(GNU_LIB)/verify.h \
         $(BLOCKINPUT_H) \
         $(CHARACTER_H) \
         $(CONFIG_H) \
diff --git a/src/minibuf.c b/src/minibuf.c
index 7e59cf157b5..eb564a10ec6 100644
--- a/src/minibuf.c
+++ b/src/minibuf.c
@@ -1723,7 +1723,7 @@ the values STRING, PREDICATE and `lambda'.  */)
   (Lisp_Object string, Lisp_Object collection, Lisp_Object predicate)
 {
   Lisp_Object regexps, tail, tem = Qnil;
-  EMACS_INT i = 0;
+  ptrdiff_t i = 0;
 
   CHECK_STRING (string);
 
diff --git a/src/nsmenu.m b/src/nsmenu.m
index 6bde229ed4d..951282910ac 100644
--- a/src/nsmenu.m
+++ b/src/nsmenu.m
@@ -1014,7 +1014,7 @@ update_frame_tool_bar (FRAME_PTR f)
       BOOL enabled_p = !NILP (TOOLPROP (TOOL_BAR_ITEM_ENABLED_P));
       BOOL selected_p = !NILP (TOOLPROP (TOOL_BAR_ITEM_SELECTED_P));
       int idx;
-      int img_id;
+      ptrdiff_t img_id;
       struct image *img;
       Lisp_Object image;
       Lisp_Object helpObj;
diff --git a/src/nsterm.h b/src/nsterm.h
index 902f35c96ea..188ec732e82 100644
--- a/src/nsterm.h
+++ b/src/nsterm.h
@@ -416,8 +416,8 @@ struct ns_bitmap_record
 /* this to map between emacs color indices and NSColor objects */
 struct ns_color_table
 {
-  unsigned int size;
-  unsigned int avail;
+  ptrdiff_t size;
+  ptrdiff_t avail;
 #ifdef __OBJC__
   NSColor **colors;
   NSMutableSet *empty_indices;
diff --git a/src/nsterm.m b/src/nsterm.m
index 582e53e202c..4c9574c35ba 100644
--- a/src/nsterm.m
+++ b/src/nsterm.m
@@ -1341,7 +1341,7 @@ unsigned long
 ns_index_color (NSColor *color, struct frame *f)
 {
   struct ns_color_table *color_table = FRAME_NS_DISPLAY_INFO (f)->color_table;
-  int idx;
+  ptrdiff_t idx;
   NSNumber *index;
 
   if (!color_table->colors)
@@ -1356,7 +1356,7 @@ ns_index_color (NSColor *color, struct frame *f)
 
   /* do we already have this color ? */
   {
-    int i;
+    ptrdiff_t i;
     for (i = 1; i < color_table->avail; i++)
       {
         if (color_table->colors[i] && [color_table->colors[i] isEqual: color])
@@ -1371,17 +1371,14 @@ ns_index_color (NSColor *color, struct frame *f)
     {
       index = [color_table->empty_indices anyObject];
       [color_table->empty_indices removeObject: index];
-      idx = [index unsignedIntValue];
+      idx = [index unsignedLongValue];
     }
   else
     {
       if (color_table->avail == color_table->size)
-        {
-          color_table->size += NS_COLOR_CAPACITY;
-          color_table->colors
-            = (NSColor **)xrealloc (color_table->colors,
-                                    color_table->size * sizeof (NSColor *));
-        }
+        color_table->colors =
+          xpalloc (color_table->colors, &color_table->size, 1,
+                   min (ULONG_MAX, PTRDIFF_MAX), sizeof *color_table->colors);
       idx = color_table->avail++;
     }
 
@@ -2321,7 +2318,7 @@ ns_draw_fringe_bitmap (struct window *w, struct glyph_row *row,
       if (!img)
         {
           unsigned short *bits = p->bits + p->dh;
-          int len = 8 * p->h/8;
+          int len = p->h;
           int i;
           unsigned char *cbits = xmalloc (len);
 
@@ -4867,7 +4864,7 @@ ns_term_shutdown (int sig)
         }
     }
 
-  
+
 #if !defined (NS_IMPL_COCOA) || MAC_OS_X_VERSION_MAX_ALLOWED < MAC_OS_X_VERSION_10_6
   /* if we get here we should send the key for input manager processing */
   if (firstTime && [[NSInputManager currentInputManager]
diff --git a/src/process.c b/src/process.c
index 977cfb964e2..a8088322147 100644
--- a/src/process.c
+++ b/src/process.c
@@ -3573,52 +3573,27 @@ format; see the description of ADDRESS in `make-network-process'.  */)
   struct ifconf ifconf;
   struct ifreq *ifreq;
   void *buf = NULL;
-  int buf_size = 512, s, i;
+  ptrdiff_t buf_size = 512;
+  int s, i;
   Lisp_Object res;
 
   s = socket (AF_INET, SOCK_STREAM, 0);
   if (s < 0)
     return Qnil;
 
-  ifconf.ifc_buf = 0;
-  ifconf.ifc_len = 0;
-  if (ioctl (s, SIOCGIFCONF, &ifconf) == 0 && ifconf.ifc_len > 0)
+  do
     {
-      ifconf.ifc_buf = xmalloc (ifconf.ifc_len);
-      if (ifconf.ifc_buf == NULL)
-        {
-          close (s);
-          return Qnil;
-        }
+      buf = xpalloc (buf, &buf_size, 1, INT_MAX, 1);
+      ifconf.ifc_buf = buf;
+      ifconf.ifc_len = buf_size;
       if (ioctl (s, SIOCGIFCONF, &ifconf))
         {
           close (s);
-          xfree (ifconf.ifc_buf);
+          xfree (buf);
           return Qnil;
         }
     }
-  else
-    do
-      {
-        buf_size *= 2;
-        buf = xrealloc (buf, buf_size);
-        if (!buf)
-          {
-            close (s);
-            return Qnil;
-          }
-
-        ifconf.ifc_buf = buf;
-        ifconf.ifc_len = buf_size;
-        if (ioctl (s, SIOCGIFCONF, &ifconf))
-          {
-            close (s);
-            xfree (buf);
-            return Qnil;
-          }
-
-      }
-    while (ifconf.ifc_len == buf_size);
+  while (ifconf.ifc_len == buf_size);
 
   close (s);
 
diff --git a/src/region-cache.c b/src/region-cache.c
index d701f4d71b0..ed7a07a6709 100644
--- a/src/region-cache.c
+++ b/src/region-cache.c
@@ -63,7 +63,7 @@ along with GNU Emacs.  If not, see <http://www.gnu.org/licenses/>.  */
    revalidate_region_cache to see how this helps.  */
 
 struct boundary {
-  EMACS_INT pos;
+  ptrdiff_t pos;
   int value;
 };
 
@@ -73,16 +73,16 @@ struct region_cache {
   struct boundary *boundaries;
 
   /* boundaries[gap_start ... gap_start + gap_len - 1] is the gap.  */
-  EMACS_INT gap_start, gap_len;
+  ptrdiff_t gap_start, gap_len;
 
   /* The number of elements allocated to boundaries, not including the
      gap.  */
-  EMACS_INT cache_len;
+  ptrdiff_t cache_len;
 
   /* The areas that haven't changed since the last time we cleaned out
      invalid entries from the cache.  These overlap when the buffer is
      entirely unchanged.  */
-  EMACS_INT beg_unchanged, end_unchanged;
+  ptrdiff_t beg_unchanged, end_unchanged;
 
   /* The first and last positions in the buffer.  Because boundaries
      store their positions relative to the start (BEG) and end (Z) of
@@ -92,7 +92,7 @@ struct region_cache {
 
      Yes, buffer_beg is always 1.  It's there for symmetry with
      buffer_end and the BEG and BUF_BEG macros.  */
-  EMACS_INT buffer_beg, buffer_end;
+  ptrdiff_t buffer_beg, buffer_end;
 };
 
 /* Return the position of boundary i in cache c.  */
@@ -173,17 +173,17 @@ free_region_cache (struct region_cache *c)
    This operation should be logarithmic in the number of cache
    entries.  It would be nice if it took advantage of locality of
    reference, too, by searching entries near the last entry found.  */
-static EMACS_INT
-find_cache_boundary (struct region_cache *c, EMACS_INT pos)
+static ptrdiff_t
+find_cache_boundary (struct region_cache *c, ptrdiff_t pos)
 {
-  EMACS_INT low = 0, high = c->cache_len;
+  ptrdiff_t low = 0, high = c->cache_len;
 
   while (low + 1 < high)
     {
       /* mid is always a valid index, because low < high and ">> 1"
          rounds down.  */
-      EMACS_INT mid = (low + high) >> 1;
-      EMACS_INT boundary = BOUNDARY_POS (c, mid);
+      ptrdiff_t mid = (low >> 1) + (high >> 1) + (low & high & 1);
+      ptrdiff_t boundary = BOUNDARY_POS (c, mid);
 
       if (pos < boundary)
         high = mid;
@@ -208,13 +208,13 @@ find_cache_boundary (struct region_cache *c, EMACS_INT pos)
 /* Move the gap of cache C to index POS, and make sure it has space
    for at least MIN_SIZE boundaries.  */
 static void
-move_cache_gap (struct region_cache *c, EMACS_INT pos, EMACS_INT min_size)
+move_cache_gap (struct region_cache *c, ptrdiff_t pos, ptrdiff_t min_size)
 {
   /* Copy these out of the cache and into registers.  */
-  EMACS_INT gap_start = c->gap_start;
-  EMACS_INT gap_len = c->gap_len;
-  EMACS_INT buffer_beg = c->buffer_beg;
-  EMACS_INT buffer_end = c->buffer_end;
+  ptrdiff_t gap_start = c->gap_start;
+  ptrdiff_t gap_len = c->gap_len;
+  ptrdiff_t buffer_beg = c->buffer_beg;
+  ptrdiff_t buffer_end = c->buffer_end;
 
   if (pos < 0
       || pos > c->cache_len)
@@ -246,17 +246,11 @@ move_cache_gap (struct region_cache *c, EMACS_INT pos, EMACS_INT min_size)
      when the portion after the gap is smallest.  */
   if (gap_len < min_size)
     {
-      EMACS_INT i;
-
-      /* Always make at least NEW_CACHE_GAP elements, as long as we're
-         expanding anyway.  */
-      if (min_size < NEW_CACHE_GAP)
-        min_size = NEW_CACHE_GAP;
+      ptrdiff_t i;
 
       c->boundaries =
-        (struct boundary *) xrealloc (c->boundaries,
-                                      ((min_size + c->cache_len)
-                                       * sizeof (*c->boundaries)));
+        xpalloc (c->boundaries, &c->cache_len, min_size, -1,
+                 sizeof *c->boundaries);
 
       /* Some systems don't provide a version of the copy routine that
          can be trusted to shift memory upward into an overlapping
@@ -293,7 +287,7 @@ move_cache_gap (struct region_cache *c, EMACS_INT pos, EMACS_INT min_size)
 /* Insert a new boundary in cache C; it will have cache index I,
    and have the specified POS and VALUE.  */
 static void
-insert_cache_boundary (struct region_cache *c, EMACS_INT i, EMACS_INT pos,
+insert_cache_boundary (struct region_cache *c, ptrdiff_t i, ptrdiff_t pos,
                        int value)
 {
   /* i must be a valid cache index.  */
@@ -331,9 +325,9 @@ insert_cache_boundary (struct region_cache *c, EMACS_INT i, EMACS_INT pos,
 
 static void
 delete_cache_boundaries (struct region_cache *c,
-                         EMACS_INT start, EMACS_INT end)
+                         ptrdiff_t start, ptrdiff_t end)
 {
-  EMACS_INT len = end - start;
+  ptrdiff_t len = end - start;
 
   /* Gotta be in range.  */
   if (start < 0
@@ -384,7 +378,7 @@ delete_cache_boundaries (struct region_cache *c,
 /* Set the value in cache C for the region START..END to VALUE.  */
 static void
 set_cache_region (struct region_cache *c,
-                  EMACS_INT start, EMACS_INT end, int value)
+                  ptrdiff_t start, ptrdiff_t end, int value)
 {
   if (start > end)
     abort ();
@@ -407,8 +401,8 @@ set_cache_region (struct region_cache *c,
        index of the earliest boundary after the last character in
        start..end.  (This tortured terminology is intended to answer
        all the "< or <=?" sort of questions.)  */
-    EMACS_INT start_ix = find_cache_boundary (c, start);
-    EMACS_INT end_ix   = find_cache_boundary (c, end - 1) + 1;
+    ptrdiff_t start_ix = find_cache_boundary (c, start);
+    ptrdiff_t end_ix   = find_cache_boundary (c, end - 1) + 1;
 
     /* We must remember the value established by the last boundary
        before end; if that boundary's domain stretches beyond end,
@@ -486,7 +480,7 @@ set_cache_region (struct region_cache *c,
    args to pass are the same before and after such an operation.)  */
 void
 invalidate_region_cache (struct buffer *buf, struct region_cache *c,
-                         EMACS_INT head, EMACS_INT tail)
+                         ptrdiff_t head, ptrdiff_t tail)
 {
   /* Let chead = c->beg_unchanged, and
          ctail = c->end_unchanged.
@@ -624,7 +618,7 @@ revalidate_region_cache (struct buffer *buf, struct region_cache *c)
      corresponds to the modified region of the buffer.  */
   else
     {
-      EMACS_INT modified_ix;
+      ptrdiff_t modified_ix;
 
       /* These positions are correct, relative to both the cache basis
          and the buffer basis.  */
@@ -693,7 +687,7 @@ revalidate_region_cache (struct buffer *buf, struct region_cache *c)
    no newlines", in the case of the line cache).  */
 void
 know_region_cache (struct buffer *buf, struct region_cache *c,
-                   EMACS_INT start, EMACS_INT end)
+                   ptrdiff_t start, ptrdiff_t end)
 {
   revalidate_region_cache (buf, c);
 
@@ -708,14 +702,14 @@ know_region_cache (struct buffer *buf, struct region_cache *c,
    position after POS where the knownness changes.  */
 int
 region_cache_forward (struct buffer *buf, struct region_cache *c,
-                      EMACS_INT pos, EMACS_INT *next)
+                      ptrdiff_t pos, ptrdiff_t *next)
 {
   revalidate_region_cache (buf, c);
 
   {
-    EMACS_INT i = find_cache_boundary (c, pos);
+    ptrdiff_t i = find_cache_boundary (c, pos);
     int i_value = BOUNDARY_VALUE (c, i);
-    EMACS_INT j;
+    ptrdiff_t j;
 
     /* Beyond the end of the buffer is unknown, by definition.  */
     if (pos >= BUF_Z (buf))
@@ -744,7 +738,7 @@ region_cache_forward (struct buffer *buf, struct region_cache *c,
    the purposes of CACHE.  If NEXT is non-zero, set *NEXT to the nearest
    position before POS where the knownness changes.  */
 int region_cache_backward (struct buffer *buf, struct region_cache *c,
-                           EMACS_INT pos, EMACS_INT *next)
+                           ptrdiff_t pos, ptrdiff_t *next)
 {
   revalidate_region_cache (buf, c);
 
@@ -757,9 +751,9 @@ int region_cache_backward (struct buffer *buf, struct region_cache *c,
     }
 
   {
-    EMACS_INT i = find_cache_boundary (c, pos - 1);
+    ptrdiff_t i = find_cache_boundary (c, pos - 1);
     int i_value = BOUNDARY_VALUE (c, i);
-    EMACS_INT j;
+    ptrdiff_t j;
 
     if (next)
       {
@@ -785,18 +779,18 @@ void pp_cache (struct region_cache *) EXTERNALLY_VISIBLE;
 void
 pp_cache (struct region_cache *c)
 {
-  int i;
-  EMACS_INT beg_u = c->buffer_beg + c->beg_unchanged;
-  EMACS_INT end_u = c->buffer_end - c->end_unchanged;
+  ptrdiff_t i;
+  ptrdiff_t beg_u = c->buffer_beg + c->beg_unchanged;
+  ptrdiff_t end_u = c->buffer_end - c->end_unchanged;
 
   fprintf (stderr,
-           "basis: %"pI"d..%"pI"d    modified: %"pI"d..%"pI"d\n",
+           "basis: %"pD"d..%"pD"d    modified: %"pD"d..%"pD"d\n",
            c->buffer_beg, c->buffer_end,
            beg_u, end_u);
 
   for (i = 0; i < c->cache_len; i++)
     {
-      EMACS_INT pos = BOUNDARY_POS (c, i);
+      ptrdiff_t pos = BOUNDARY_POS (c, i);
 
       putc (((pos < beg_u) ? 'v'
              : (pos == beg_u) ? '-'
@@ -806,6 +800,6 @@ pp_cache (struct region_cache *c)
              : (pos == end_u) ? '-'
              : ' '),
             stderr);
-      fprintf (stderr, "%"pI"d : %d\n", pos, BOUNDARY_VALUE (c, i));
+      fprintf (stderr, "%"pD"d : %d\n", pos, BOUNDARY_VALUE (c, i));
     }
 }
diff --git a/src/region-cache.h b/src/region-cache.h
index ea767ed0dc3..8e1be716776 100644
--- a/src/region-cache.h
+++ b/src/region-cache.h
@@ -72,7 +72,7 @@ void free_region_cache (struct region_cache *);
    no newlines", in the case of the line cache).  */
 extern void know_region_cache (struct buffer *BUF,
                                struct region_cache *CACHE,
-                               EMACS_INT START, EMACS_INT END);
+                               ptrdiff_t START, ptrdiff_t END);
 
 /* Indicate that a section of BUF has changed, to invalidate CACHE.
    HEAD is the number of chars unchanged at the beginning of the buffer.
@@ -84,7 +84,7 @@ extern void know_region_cache (struct buffer *BUF,
    args to pass are the same before and after such an operation.)  */
 extern void invalidate_region_cache (struct buffer *BUF,
                                      struct region_cache *CACHE,
-                                     EMACS_INT HEAD, EMACS_INT TAIL);
+                                     ptrdiff_t HEAD, ptrdiff_t TAIL);
 
 /* The scanning functions.
 
@@ -100,13 +100,13 @@ extern void invalidate_region_cache (struct buffer *BUF,
    position after POS where the knownness changes.  */
 extern int region_cache_forward (struct buffer *BUF,
                                  struct region_cache *CACHE,
-                                 EMACS_INT POS,
-                                 EMACS_INT *NEXT);
+                                 ptrdiff_t POS,
+                                 ptrdiff_t *NEXT);
 
 /* Return true if the text immediately before POS in BUF is known, for
    the purposes of CACHE.  If NEXT is non-zero, set *NEXT to the nearest
    position before POS where the knownness changes.  */
 extern int region_cache_backward (struct buffer *BUF,
                                   struct region_cache *CACHE,
-                                  EMACS_INT POS,
-                                  EMACS_INT *NEXT);
+                                  ptrdiff_t POS,
+                                  ptrdiff_t *NEXT);
diff --git a/src/scroll.c b/src/scroll.c
index 6291936a541..05f6fdf85f0 100644
--- a/src/scroll.c
+++ b/src/scroll.c
@@ -969,32 +969,14 @@ do_line_insertion_deletion_costs (FRAME_PTR frame,
                                   const char *cleanup_string,
                                   int coefficient)
 {
-  if (FRAME_INSERT_COST (frame) != 0)
-    {
-      FRAME_INSERT_COST (frame) =
-        (int *) xrealloc (FRAME_INSERT_COST (frame),
-                          FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-        (int *) xrealloc (FRAME_DELETEN_COST (frame),
-                          FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-        (int *) xrealloc (FRAME_INSERTN_COST (frame),
-                          FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-        (int *) xrealloc (FRAME_DELETE_COST (frame),
-                          FRAME_LINES (frame) * sizeof (int));
-    }
-  else
-    {
-      FRAME_INSERT_COST (frame) =
-        (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETEN_COST (frame) =
-        (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_INSERTN_COST (frame) =
-        (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-      FRAME_DELETE_COST (frame) =
-        (int *) xmalloc (FRAME_LINES (frame) * sizeof (int));
-    }
+  FRAME_INSERT_COST (frame) =
+    xnrealloc (FRAME_INSERT_COST (frame), FRAME_LINES (frame), sizeof (int));
+  FRAME_DELETEN_COST (frame) =
+    xnrealloc (FRAME_DELETEN_COST (frame), FRAME_LINES (frame), sizeof (int));
+  FRAME_INSERTN_COST (frame) =
+    xnrealloc (FRAME_INSERTN_COST (frame), FRAME_LINES (frame), sizeof (int));
+  FRAME_DELETE_COST (frame) =
+    xnrealloc (FRAME_DELETE_COST (frame), FRAME_LINES (frame), sizeof (int));
 
   ins_del_costs (frame,
                  ins_line_string, multi_ins_string,
diff --git a/src/search.c b/src/search.c
index a56df784cd2..d892792cbaa 100644
--- a/src/search.c
+++ b/src/search.c
@@ -683,7 +683,7 @@ scan_buffer (register int target, EMACS_INT start, EMACS_INT end,
            to see where we can avoid some scanning.  */
         if (target == '\n' && newline_cache)
           {
-            EMACS_INT next_change;
+            ptrdiff_t next_change;
             immediate_quit = 0;
             while (region_cache_forward
                    (current_buffer, newline_cache, start_byte, &next_change))
@@ -755,7 +755,7 @@ scan_buffer (register int target, EMACS_INT start, EMACS_INT end,
         /* Consult the newline cache, if appropriate.  */
         if (target == '\n' && newline_cache)
           {
-            EMACS_INT next_change;
+            ptrdiff_t next_change;
             immediate_quit = 0;
             while (region_cache_backward
                    (current_buffer, newline_cache, start_byte, &next_change))
@@ -2640,15 +2640,17 @@ since only regular expressions have distinguished subexpressions.  */)
      perform substitution on the replacement string.  */
   if (NILP (literal))
     {
-      EMACS_INT length = SBYTES (newtext);
+      ptrdiff_t length = SBYTES (newtext);
       unsigned char *substed;
-      EMACS_INT substed_alloc_size, substed_len;
+      ptrdiff_t substed_alloc_size, substed_len;
       int buf_multibyte = !NILP (BVAR (current_buffer, enable_multibyte_characters));
       int str_multibyte = STRING_MULTIBYTE (newtext);
       int really_changed = 0;
 
-      substed_alloc_size = length * 2 + 100;
-      substed = (unsigned char *) xmalloc (substed_alloc_size + 1);
+      substed_alloc_size = ((STRING_BYTES_BOUND - 100) / 2 < length
+                            ? STRING_BYTES_BOUND
+                            : length * 2 + 100);
+      substed = (unsigned char *) xmalloc (substed_alloc_size);
       substed_len = 0;
 
       /* Go thru NEWTEXT, producing the actual text to insert in
@@ -2659,7 +2661,7 @@ since only regular expressions have distinguished subexpressions.  */)
         {
           unsigned char str[MAX_MULTIBYTE_LENGTH];
           const unsigned char *add_stuff = NULL;
-          EMACS_INT add_len = 0;
+          ptrdiff_t add_len = 0;
           int idx = -1;
 
           if (str_multibyte)
@@ -2723,7 +2725,7 @@ since only regular expressions have distinguished subexpressions.  */)
              set up ADD_STUFF and ADD_LEN to point to it.  */
           if (idx >= 0)
             {
-              EMACS_INT begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
+              ptrdiff_t begbyte = CHAR_TO_BYTE (search_regs.start[idx]);
               add_len = CHAR_TO_BYTE (search_regs.end[idx]) - begbyte;
               if (search_regs.start[idx] < GPT && GPT < search_regs.end[idx])
                 move_gap (search_regs.start[idx]);
@@ -2734,12 +2736,11 @@ since only regular expressions have distinguished subexpressions.  */)
              is invariably ADD_LEN bytes starting at ADD_STUFF.  */
 
           /* Make sure SUBSTED is big enough.  */
-          if (substed_len + add_len >= substed_alloc_size)
-            {
-              substed_alloc_size = substed_len + add_len + 500;
-              substed = (unsigned char *) xrealloc (substed,
-                                                    substed_alloc_size + 1);
-            }
+          if (substed_alloc_size - substed_len < add_len)
+            substed =
+              xpalloc (substed, &substed_alloc_size,
+                       add_len - (substed_alloc_size - substed_len),
+                       STRING_BYTES_BOUND, 1);
 
           /* Now add to the end of SUBSTED.  */
           if (add_stuff)
@@ -2973,7 +2974,7 @@ LIST should have been created by calling `match-data' previously.
 If optional arg RESEAT is non-nil, make markers on LIST point nowhere.  */)
   (register Lisp_Object list, Lisp_Object reseat)
 {
-  register int i;
+  ptrdiff_t i;
   register Lisp_Object marker;
 
   if (running_asynch_code)
@@ -2987,31 +2988,21 @@ If optional arg RESEAT is non-nil, make markers on LIST point nowhere.  */)
 
   /* Allocate registers if they don't already exist.  */
   {
-    int length = XFASTINT (Flength (list)) / 2;
+    ptrdiff_t length = XFASTINT (Flength (list)) / 2;
 
     if (length > search_regs.num_regs)
       {
-        if (search_regs.num_regs == 0)
-          {
-            search_regs.start
-              = (regoff_t *) xmalloc (length * sizeof (regoff_t));
-            search_regs.end
-              = (regoff_t *) xmalloc (length * sizeof (regoff_t));
-          }
-        else
-          {
-            search_regs.start
-              = (regoff_t *) xrealloc (search_regs.start,
-                                       length * sizeof (regoff_t));
-            search_regs.end
-              = (regoff_t *) xrealloc (search_regs.end,
-                                       length * sizeof (regoff_t));
-          }
-
-        for (i = search_regs.num_regs; i < length; i++)
+        ptrdiff_t num_regs = search_regs.num_regs;
+        search_regs.start =
+          xpalloc (search_regs.start, &num_regs, length - num_regs,
+                   min (PTRDIFF_MAX, UINT_MAX), sizeof (regoff_t));
+        search_regs.end =
+          xrealloc (search_regs.end, num_regs * sizeof (regoff_t));
+
+        for (i = search_regs.num_regs; i < num_regs; i++)
           search_regs.start[i] = -1;
 
-        search_regs.num_regs = length;
+        search_regs.num_regs = num_regs;
       }
 
     for (i = 0; CONSP (list); i++)
diff --git a/src/sysdep.c b/src/sysdep.c
index 4bd1f54b9e6..57fff94f552 100644
--- a/src/sysdep.c
+++ b/src/sysdep.c
@@ -2640,7 +2640,7 @@ system_process_attributes (Lisp_Object pid)
   ssize_t nread;
   const char *cmd = NULL;
   char *cmdline = NULL;
-  size_t cmdsize = 0, cmdline_size;
+  ptrdiff_t cmdsize = 0, cmdline_size;
   unsigned char c;
   int proc_id, ppid, uid, gid, pgrp, sess, tty, tpgid, thcount;
   unsigned long long u_time, s_time, cutime, cstime, start;
@@ -2822,8 +2822,10 @@ system_process_attributes (Lisp_Object pid)
   if (fd >= 0)
     {
       char ch;
-      for (cmdline_size = 0; emacs_read (fd, &ch, 1) == 1; cmdline_size++)
+      for (cmdline_size = 0; cmdline_size < STRING_BYTES_BOUND; cmdline_size++)
         {
+          if (emacs_read (fd, &ch, 1) != 1)
+            break;
           c = ch;
           if (isspace (c) || c == '\\')
             cmdline_size++;     /* for later quoting, see below */
@@ -2844,7 +2846,7 @@ system_process_attributes (Lisp_Object pid)
               nread = 0;
             }
           /* We don't want trailing null characters.  */
-          for (p = cmdline + nread - 1; p > cmdline && !*p; p--)
+          for (p = cmdline + nread; p > cmdline + 1 && !p[-1]; p--)
             nread--;
           for (p = cmdline; p < cmdline + nread; p++)
             {
diff --git a/src/term.c b/src/term.c
index 22056451cb9..f3bf3a947cb 100644
--- a/src/term.c
+++ b/src/term.c
@@ -136,10 +136,6 @@ enum no_color_bit
 
 static int max_frame_cols;
 
-/* The largest frame height in any call to calculate_costs.  */
-
-static int max_frame_lines;
-
 /* Non-zero if we have dropped our controlling tty and therefore
    should not open a frame on stdout. */
 static int no_controlling_tty;
@@ -497,8 +493,8 @@ tty_clear_end_of_line (struct frame *f, int first_unused_hpos)
 static unsigned char *encode_terminal_src;
 static unsigned char *encode_terminal_dst;
 /* Allocated sizes of the above buffers.  */
-static int encode_terminal_src_size;
-static int encode_terminal_dst_size;
+static ptrdiff_t encode_terminal_src_size;
+static ptrdiff_t encode_terminal_dst_size;
 
 /* Encode SRC_LEN glyphs starting at SRC to terminal output codes.
    Set CODING->produced to the byte-length of the resulting byte
@@ -509,8 +505,8 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
 {
   struct glyph *src_end = src + src_len;
   unsigned char *buf;
-  int nchars, nbytes, required;
-  register int tlen = GLYPH_TABLE_LENGTH;
+  ptrdiff_t nchars, nbytes, required;
+  ptrdiff_t tlen = GLYPH_TABLE_LENGTH;
   register Lisp_Object *tbase = GLYPH_TABLE_BASE;
   Lisp_Object charset_list;
 
@@ -518,13 +514,13 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
      multibyte-form.  But, it may be enlarged on demand if
      Vglyph_table contains a string or a composite glyph is
      encountered.  */
-  required = MAX_MULTIBYTE_LENGTH * src_len;
+  if (min (PTRDIFF_MAX, SIZE_MAX) / MAX_MULTIBYTE_LENGTH < src_len)
+    memory_full (SIZE_MAX);
+  required = src_len;
+  required *= MAX_MULTIBYTE_LENGTH;
   if (encode_terminal_src_size < required)
     {
-      if (encode_terminal_src)
-        encode_terminal_src = xrealloc (encode_terminal_src, required);
-      else
-        encode_terminal_src = xmalloc (required);
+      encode_terminal_src = xrealloc (encode_terminal_src, required);
       encode_terminal_src_size = required;
     }
 
@@ -544,19 +540,21 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
           if (src->u.cmp.automatic)
             {
               gstring = composition_gstring_from_id (src->u.cmp.id);
-              required = src->slice.cmp.to + 1 - src->slice.cmp.from;
+              required = src->slice.cmp.to - src->slice.cmp.from + 1;
             }
           else
             {
               cmp = composition_table[src->u.cmp.id];
-              required = MAX_MULTIBYTE_LENGTH * cmp->glyph_len;
+              required = cmp->glyph_len;
+              required *= MAX_MULTIBYTE_LENGTH;
             }
 
-          if (encode_terminal_src_size < nbytes + required)
+          if (encode_terminal_src_size - nbytes < required)
             {
-              encode_terminal_src_size = nbytes + required;
-              encode_terminal_src = xrealloc (encode_terminal_src,
-                                              encode_terminal_src_size);
+              encode_terminal_src =
+                xpalloc (encode_terminal_src, &encode_terminal_src_size,
+                         required - (encode_terminal_src_size - nbytes),
+                         -1, 1);
               buf = encode_terminal_src + nbytes;
             }
 
@@ -627,11 +625,11 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
           if (NILP (string))
             {
               nbytes = buf - encode_terminal_src;
-              if (encode_terminal_src_size < nbytes + MAX_MULTIBYTE_LENGTH)
+              if (encode_terminal_src_size - nbytes < MAX_MULTIBYTE_LENGTH)
                 {
-                  encode_terminal_src_size = nbytes + MAX_MULTIBYTE_LENGTH;
-                  encode_terminal_src = xrealloc (encode_terminal_src,
-                                                  encode_terminal_src_size);
+                  encode_terminal_src =
+                    xpalloc (encode_terminal_src, &encode_terminal_src_size,
+                             MAX_MULTIBYTE_LENGTH, -1, 1);
                   buf = encode_terminal_src + nbytes;
                 }
               if (CHAR_BYTE8_P (c)
@@ -659,11 +657,13 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
               if (! STRING_MULTIBYTE (string))
                 string = string_to_multibyte (string);
               nbytes = buf - encode_terminal_src;
-              if (encode_terminal_src_size < nbytes + SBYTES (string))
+              if (encode_terminal_src_size - nbytes < SBYTES (string))
                 {
-                  encode_terminal_src_size = nbytes + SBYTES (string);
-                  encode_terminal_src = xrealloc (encode_terminal_src,
-                                                  encode_terminal_src_size);
+                  encode_terminal_src =
+                    xpalloc (encode_terminal_src, &encode_terminal_src_size,
+                             (SBYTES (string)
+                              - (encode_terminal_src_size - nbytes)),
+                             -1, 1);
                   buf = encode_terminal_src + nbytes;
                 }
               memcpy (buf, SDATA (string), SBYTES (string));
@@ -684,12 +684,9 @@ encode_terminal_code (struct glyph *src, int src_len, struct coding_system *codi
   coding->source = encode_terminal_src;
   if (encode_terminal_dst_size == 0)
     {
+      encode_terminal_dst = xrealloc (encode_terminal_dst,
+                                      encode_terminal_src_size);
       encode_terminal_dst_size = encode_terminal_src_size;
-      if (encode_terminal_dst)
-        encode_terminal_dst = xrealloc (encode_terminal_dst,
-                                        encode_terminal_dst_size);
-      else
-        encode_terminal_dst = xmalloc (encode_terminal_dst_size);
     }
   coding->destination = encode_terminal_dst;
   coding->dst_bytes = encode_terminal_dst_size;
@@ -1156,21 +1153,17 @@ calculate_costs (struct frame *frame)
          char_ins_del_vector (i.e., char_ins_del_cost) isn't used because
          X turns off char_ins_del_ok. */
 
-      max_frame_lines = max (max_frame_lines, FRAME_LINES (frame));
       max_frame_cols = max (max_frame_cols, FRAME_COLS (frame));
+      if ((min (PTRDIFF_MAX, SIZE_MAX) / sizeof (int) - 1) / 2
+          < max_frame_cols)
+        memory_full (SIZE_MAX);
 
-      if (char_ins_del_vector != 0)
-        char_ins_del_vector
-          = (int *) xrealloc (char_ins_del_vector,
-                              (sizeof (int)
-                               + 2 * max_frame_cols * sizeof (int)));
-      else
-        char_ins_del_vector
-          = (int *) xmalloc (sizeof (int)
-                             + 2 * max_frame_cols * sizeof (int));
+      char_ins_del_vector =
+        xrealloc (char_ins_del_vector,
+                  (sizeof (int) + 2 * sizeof (int) * max_frame_cols));
 
       memset (char_ins_del_vector, 0,
-              (sizeof (int) + 2 * max_frame_cols * sizeof (int)));
+              (sizeof (int) + 2 * sizeof (int) * max_frame_cols));
 
 
       if (f && (!tty->TS_ins_line && !tty->TS_del_line))
diff --git a/src/termcap.c b/src/termcap.c
index 96b9303d62d..6f24817fa72 100644
--- a/src/termcap.c
+++ b/src/termcap.c
@@ -480,7 +480,7 @@ tgetent (char *bp, const char *name)
       /* If BP is malloc'd by us, make sure it is big enough.  */
       if (malloc_size)
         {
-          int offset1 = bp1 - bp, offset2 = tc_search_point - bp;
+          ptrdiff_t offset1 = bp1 - bp, offset2 = tc_search_point - bp;
           malloc_size = offset1 + buf.size;
           bp = termcap_name = (char *) xrealloc (bp, malloc_size);
           bp1 = termcap_name + offset1;
@@ -619,7 +619,6 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end)
   register char *end;
   register int nread;
   register char *buf = bufp->beg;
-  register char *tem;
 
   if (!append_end)
     append_end = bufp->ptr;
@@ -636,14 +635,14 @@ gobble_line (int fd, register struct termcap_buffer *bufp, char *append_end)
         {
           if (bufp->full == bufp->size)
             {
-              if ((PTRDIFF_MAX - 1) / 2 < bufp->size)
-                memory_full (SIZE_MAX);
-              bufp->size *= 2;
+              ptrdiff_t ptr_offset = bufp->ptr - buf;
+              ptrdiff_t append_end_offset = append_end - buf;
               /* Add 1 to size to ensure room for terminating null.  */
-              tem = (char *) xrealloc (buf, bufp->size + 1);
-              bufp->ptr = (bufp->ptr - buf) + tem;
-              append_end = (append_end - buf) + tem;
-              bufp->beg = buf = tem;
+              ptrdiff_t size = bufp->size + 1;
+              bufp->beg = buf = xpalloc (buf, &size, 1, -1, 1);
+              bufp->size = size - 1;
+              bufp->ptr = buf + ptr_offset;
+              append_end = buf + append_end_offset;
             }
         }
       else
diff --git a/src/termhooks.h b/src/termhooks.h
index 1310fba2f0a..a025e2798d9 100644
--- a/src/termhooks.h
+++ b/src/termhooks.h
@@ -291,12 +291,12 @@ enum {
   /* The next four modifier bits are used also in keyboard events at
      the Lisp level.
 
-     It's probably not the greatest idea to use the 2^23 bit for any
+     It's probably not the greatest idea to use the 2^28 bit for any
      modifier.  It may or may not be the sign bit, depending on
-     VALBITS, so using it to represent a modifier key means that
+     FIXNUM_BITS, so using it to represent a modifier key means that
      characters thus modified have different integer equivalents
      depending on the architecture they're running on.  Oh, and
-     applying XINT to a character whose 2^23 bit is set sign-extends
+     applying XINT to a character whose 2^28 bit is set might sign-extend
      it, so you get a bunch of bits in the mask you didn't want.
 
      The CHAR_ macros are defined in lisp.h.  */
diff --git a/src/tparam.c b/src/tparam.c
index ed28cd7397f..ac21667d65b 100644
--- a/src/tparam.c
+++ b/src/tparam.c
@@ -79,24 +79,25 @@ tparam1 (const char *string, char *outstring, int len,
   register const char *p = string;
   register char *op = outstring;
   char *outend;
-  int outlen = 0;
+  char *new = 0;
+  ptrdiff_t outlen = 0;
 
   register int tem;
   int *old_argp = argp;                 /* can move */
   int *fixed_argp = argp;               /* never moves */
   int explicit_param_p = 0;             /* set by %p */
-  int doleft = 0;
-  int doup = 0;
+  ptrdiff_t doleft = 0;
+  ptrdiff_t doup = 0;
+  ptrdiff_t append_len = 0;
 
   outend = outstring + len;
 
   while (1)
     {
       /* If the buffer might be too short, make it bigger.  */
-      if (op + 5 >= outend)
+      while (outend - op - append_len <= 5)
         {
-          register char *new;
-          int offset = op - outstring;
+          ptrdiff_t offset = op - outstring;
 
           if (outlen == 0)
             {
@@ -106,8 +107,7 @@ tparam1 (const char *string, char *outstring, int len,
             }
           else
             {
-              outlen *= 2;
-              new = (char *) xrealloc (outstring, outlen);
+              new = xpalloc (outstring, &outlen, 1, -1, 1);
             }
 
           op = new + offset;
@@ -167,11 +167,15 @@ tparam1 (const char *string, char *outstring, int len,
                      and this is one of them, increment it.  */
                   while (tem == 0 || tem == '\n' || tem == '\t')
                     {
+                      ptrdiff_t append_len_incr;
                       tem++;
                       if (argp == old_argp)
-                        doup++, outend -= strlen (up);
+                        doup++, append_len_incr = strlen (up);
                       else
-                        doleft++, outend -= strlen (left);
+                        doleft++, append_len_incr = strlen (left);
+                      if (INT_ADD_OVERFLOW (append_len, append_len_incr))
+                        memory_full (SIZE_MAX);
+                      append_len += append_len_incr;
                     }
                 }
               *op++ = tem ? tem : 0200;
@@ -273,7 +277,7 @@ main (int argc, char **argv)
   args[0] = atoi (argv[2]);
   args[1] = atoi (argv[3]);
   args[2] = atoi (argv[4]);
-  tparam1 (argv[1], buf, "LEFT", "UP", args);
+  tparam1 (argv[1], buf, 50, "LEFT", "UP", args);
   printf ("%s\n", buf);
   return 0;
 }
diff --git a/src/window.c b/src/window.c
index c7a4e1872fc..c8266696b2d 100644
--- a/src/window.c
+++ b/src/window.c
@@ -5074,7 +5074,7 @@ and redisplay normally--don't erase and redraw the frame.  */)
           && (!EQ (Vrecenter_redisplay, Qtty)
               || !NILP (Ftty_type (selected_frame))))
         {
-          int i;
+          ptrdiff_t i;
 
           /* Invalidate pixel data calculated for all compositions.  */
           for (i = 0; i < n_compositions; i++)
diff --git a/src/xdisp.c b/src/xdisp.c
index 580bd59908b..7e06938b3d3 100644
--- a/src/xdisp.c
+++ b/src/xdisp.c
@@ -2483,10 +2483,7 @@ init_iterator (struct it *it, struct window *w,
   else if (INTEGERP (w->redisplay_end_trigger))
     it->redisplay_end_trigger_charpos = XINT (w->redisplay_end_trigger);
 
-  /* Correct bogus values of tab_width.  */
-  it->tab_width = XINT (BVAR (current_buffer, tab_width));
-  if (it->tab_width <= 0 || it->tab_width > 1000)
-    it->tab_width = 8;
+  it->tab_width = SANE_TAB_WIDTH (current_buffer);
 
   /* Are lines in the display truncated?  */
   if (base_face_id != DEFAULT_FACE_ID
@@ -3151,11 +3148,15 @@ next_overlay_change (EMACS_INT pos)
    text property whose value is a string.  STRING is data about the
    string to iterate; if STRING->lstring is nil, we are iterating a
    buffer.  FRAME_WINDOW_P is non-zero when we are displaying a window
-   on a GUI frame.  */
+   on a GUI frame.  DISP_PROP is set to zero if we searched
+   MAX_DISP_SCAN characters forward without finding any display
+   strings, non-zero otherwise.  It is set to 2 if the display string
+   uses any kind of `(space ...)' spec that will produce a stretch of
+   white space in the text area.  */
 EMACS_INT
 compute_display_string_pos (struct text_pos *position,
                             struct bidi_string_data *string,
-                            int frame_window_p, int *disp_prop_p)
+                            int frame_window_p, int *disp_prop)
 {
   /* OBJECT = nil means current buffer.  */
   Lisp_Object object =
@@ -3168,8 +3169,9 @@ compute_display_string_pos (struct text_pos *position,
   EMACS_INT lim =
     (charpos < eob - MAX_DISP_SCAN) ? charpos + MAX_DISP_SCAN : eob;
   struct text_pos tpos;
+  int rv = 0;
 
-  *disp_prop_p = 1;
+  *disp_prop = 1;
 
   if (charpos >= eob
       /* We don't support display properties whose values are strings
@@ -3178,7 +3180,7 @@ compute_display_string_pos (struct text_pos *position,
       /* C strings cannot have display properties.  */
       || (string->s && !STRINGP (object)))
     {
-      *disp_prop_p = 0;
+      *disp_prop = 0;
       return eob;
     }
 
@@ -3195,9 +3197,11 @@ compute_display_string_pos (struct text_pos *position,
           || !EQ (Fget_char_property (make_number (charpos - 1), Qdisplay,
                                       object),
                   spec))
-      && handle_display_spec (NULL, spec, object, Qnil, &tpos, bufpos,
-                              frame_window_p))
+      && (rv = handle_display_spec (NULL, spec, object, Qnil, &tpos, bufpos,
+                                    frame_window_p)))
     {
+      if (rv == 2)
+        *disp_prop = 2;
       return charpos;
     }
 
@@ -3209,7 +3213,7 @@ compute_display_string_pos (struct text_pos *position,
     CHARPOS (tpos) = XFASTINT (pos);
     if (CHARPOS (tpos) >= lim)
       {
-        *disp_prop_p = 0;
+        *disp_prop = 0;
         break;
       }
     if (STRINGP (object))
@@ -3220,8 +3224,10 @@ compute_display_string_pos (struct text_pos *position,
     if (!STRINGP (object))
       bufpos = CHARPOS (tpos);
   } while (NILP (spec)
-           || !handle_display_spec (NULL, spec, object, Qnil, &tpos, bufpos,
-                                    frame_window_p));
+           || !(rv = handle_display_spec (NULL, spec, object, Qnil, &tpos,
+                                          bufpos, frame_window_p)));
+  if (rv == 2)
+    *disp_prop = 2;
 
   return CHARPOS (tpos);
 }
@@ -4083,7 +4089,9 @@ handle_display_prop (struct it *it)
 /* Subroutine of handle_display_prop.  Returns non-zero if the display
    specification in SPEC is a replacing specification, i.e. it would
    replace the text covered by `display' property with something else,
-   such as an image or a display string.
+   such as an image or a display string.  If SPEC includes any kind or
+   `(space ...) specification, the value is 2; this is used by
+   compute_display_string_pos, which see.
 
    See handle_single_display_spec for documentation of arguments.
    frame_window_p is non-zero if the window being redisplayed is on a
@@ -4100,6 +4108,7 @@ handle_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
                      EMACS_INT bufpos, int frame_window_p)
 {
   int replacing_p = 0;
+  int rv;
 
   if (CONSP (spec)
       /* Simple specerties.  */
@@ -4121,11 +4130,11 @@ handle_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
     {
       for (; CONSP (spec); spec = XCDR (spec))
         {
-          if (handle_single_display_spec (it, XCAR (spec), object, overlay,
-                                          position, bufpos, replacing_p,
-                                          frame_window_p))
+          if ((rv = handle_single_display_spec (it, XCAR (spec), object,
+                                                overlay, position, bufpos,
+                                                replacing_p, frame_window_p)))
             {
-              replacing_p = 1;
+              replacing_p = rv;
               /* If some text in a string is replaced, `position' no
                  longer points to the position of `object'.  */
               if (!it || STRINGP (object))
@@ -4137,11 +4146,11 @@ handle_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
     {
       int i;
       for (i = 0; i < ASIZE (spec); ++i)
-        if (handle_single_display_spec (it, AREF (spec, i), object, overlay,
-                                        position, bufpos, replacing_p,
-                                        frame_window_p))
+        if ((rv = handle_single_display_spec (it, AREF (spec, i), object,
+                                              overlay, position, bufpos,
+                                              replacing_p, frame_window_p)))
           {
-            replacing_p = 1;
+            replacing_p = rv;
             /* If some text in a string is replaced, `position' no
                longer points to the position of `object'.  */
             if (!it || STRINGP (object))
@@ -4150,9 +4159,10 @@ handle_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
     }
   else
     {
-      if (handle_single_display_spec (it, spec, object, overlay,
-                                      position, bufpos, 0, frame_window_p))
-        replacing_p = 1;
+      if ((rv = handle_single_display_spec (it, spec, object, overlay,
+                                            position, bufpos, 0,
+                                            frame_window_p)))
+        replacing_p = rv;
     }
 
   return replacing_p;
@@ -4532,8 +4542,17 @@ handle_single_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
 
   if (valid_p && !display_replaced_p)
     {
+      int retval = 1;
+
       if (!it)
-        return 1;
+        {
+          /* Callers need to know whether the display spec is any kind
+             of `(space ...)' spec that is about to affect text-area
+             display.  */
+          if (CONSP (value) && EQ (XCAR (value), Qspace) && NILP (location))
+            retval = 2;
+          return retval;
+        }
 
       /* Save current settings of IT so that we can restore them
          when we are finished with the glyph property value.  */
@@ -4591,6 +4610,7 @@ handle_single_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
           it->method = GET_FROM_STRETCH;
           it->object = value;
           *position = it->position = start_pos;
+          retval = 1 + (it->area == TEXT_AREA);
         }
 #ifdef HAVE_XWIDGETS
       else if (XWIDGETP(value))
@@ -4621,7 +4641,7 @@ handle_single_display_spec (struct it *it, Lisp_Object spec, Lisp_Object object,
         }
 #endif /* HAVE_WINDOW_SYSTEM */
 
-      return 1;
+      return retval;
     }
 
   /* Invalid property or property not supported.  Restore
@@ -5592,7 +5612,7 @@ forward_to_next_line_start (struct it *it, int *skipped_p,
               if (it->bidi_it.disp_pos < limit)
                 {
                   it->bidi_it.disp_pos = limit;
-                  it->bidi_it.disp_prop_p = 0;
+                  it->bidi_it.disp_prop = 0;
                 }
               do {
                 bprev = it->bidi_it;
@@ -10471,13 +10491,14 @@ static void
 store_mode_line_noprop_char (char c)
 {
   /* If output position has reached the end of the allocated buffer,
-     double the buffer's size.  */
+     increase the buffer's size.  */
   if (mode_line_noprop_ptr == mode_line_noprop_buf_end)
     {
-      int len = MODE_LINE_NOPROP_LEN (0);
-      int new_size = 2 * len * sizeof *mode_line_noprop_buf;
-      mode_line_noprop_buf = (char *) xrealloc (mode_line_noprop_buf, new_size);
-      mode_line_noprop_buf_end = mode_line_noprop_buf + new_size;
+      ptrdiff_t len = MODE_LINE_NOPROP_LEN (0);
+      ptrdiff_t size = len;
+      mode_line_noprop_buf =
+        xpalloc (mode_line_noprop_buf, &size, 1, STRING_BYTES_BOUND, 1);
+      mode_line_noprop_buf_end = mode_line_noprop_buf + size;
       mode_line_noprop_ptr = mode_line_noprop_buf + len;
     }
 
@@ -10539,9 +10560,9 @@ x_consider_frame_title (Lisp_Object frame)
       /* Do we have more than one visible frame on this X display?  */
       Lisp_Object tail;
       Lisp_Object fmt;
-      int title_start;
+      ptrdiff_t title_start;
       char *title;
-      int len;
+      ptrdiff_t len;
       struct it it;
       int count = SPECPDL_INDEX ();
 
@@ -14631,19 +14652,39 @@ try_cursor_movement (Lisp_Object window, struct text_pos startp, int *scroll_ste
 
               do
                 {
+                  int at_zv_p = 0, exact_match_p = 0;
+
                   if (MATRIX_ROW_START_CHARPOS (row) <= PT
                       && PT <= MATRIX_ROW_END_CHARPOS (row)
                       && cursor_row_p (row))
                     rv |= set_cursor_from_row (w, row, w->current_matrix,
                                                0, 0, 0, 0);
-                  /* As soon as we've found the first suitable row
-                     whose ends_at_zv_p flag is set, we are done.  */
-                  if (rv
-                      && MATRIX_ROW (w->current_matrix, w->cursor.vpos)->ends_at_zv_p)
+                  /* As soon as we've found the exact match for point,
+                     or the first suitable row whose ends_at_zv_p flag
+                     is set, we are done.  */
+                  at_zv_p =
+                    MATRIX_ROW (w->current_matrix, w->cursor.vpos)->ends_at_zv_p;
+                  if (!at_zv_p)
+                    {
+                      struct glyph_row *candidate =
+                        MATRIX_ROW (w->current_matrix, w->cursor.vpos);
+                      struct glyph *g =
+                        candidate->glyphs[TEXT_AREA] + w->cursor.hpos;
+                      EMACS_INT endpos = MATRIX_ROW_END_CHARPOS (candidate);
+
+                      exact_match_p =
+                        (BUFFERP (g->object) && g->charpos == PT)
+                        || (INTEGERP (g->object)
+                            && (g->charpos == PT
+                                || (g->charpos == 0 && endpos - 1 == PT)));
+                    }
+                  if (rv && (at_zv_p || exact_match_p))
                     {
                       rc = CURSOR_MOVEMENT_SUCCESS;
                       break;
                     }
+                  if (MATRIX_ROW_BOTTOM_Y (row) == last_y)
+                    break;
                   ++row;
                 }
               while (((MATRIX_ROW_CONTINUATION_LINE_P (row)
@@ -14655,7 +14696,9 @@ try_cursor_movement (Lisp_Object window, struct text_pos startp, int *scroll_ste
                  loop before all the candidates were examined, signal
                  to the caller that this method failed.  */
               if (rc != CURSOR_MOVEMENT_SUCCESS
-                  && (!rv || MATRIX_ROW_CONTINUATION_LINE_P (row)))
+                  && !(rv
+                       && !MATRIX_ROW_CONTINUATION_LINE_P (row)
+                       && !row->continued_p))
                 rc = CURSOR_MOVEMENT_MUST_SCROLL;
               else if (rv)
                 rc = CURSOR_MOVEMENT_SUCCESS;
@@ -15115,6 +15158,7 @@ redisplay_window (Lisp_Object window, int just_this_one_p)
                || (XFASTINT (w->last_modified) >= MODIFF
                    && XFASTINT (w->last_overlay_modified) >= OVERLAY_MODIFF)))
     {
+      int d1, d2, d3, d4, d5, d6;
 
       /* If first window line is a continuation line, and window start
          is inside the modified region, but the first change is before
@@ -15136,7 +15180,14 @@ redisplay_window (Lisp_Object window, int just_this_one_p)
              compute_window_start_on_continuation_line.  (See also
              bug#197).  */
           && XMARKER (w->start)->buffer == current_buffer
-          && compute_window_start_on_continuation_line (w))
+          && compute_window_start_on_continuation_line (w)
+          /* It doesn't make sense to force the window start like we
+             do at label force_start if it is already known that point
+             will not be visible in the resulting window, because
+             doing so will move point from its correct position
+             instead of scrolling the window to bring point into view.
+             See bug#9324.  */
+          && pos_visible_p (w, PT, &d1, &d2, &d3, &d4, &d5, &d6))
         {
           w->force_start = Qt;
           SET_TEXT_POS_FROM_MARKER (startp, w->start);
@@ -21456,7 +21507,7 @@ calc_pixel_width_or_height (double *res, struct it *it, Lisp_Object prop,
           if (FRAME_WINDOW_P (it->f)
               && valid_image_p (prop))
             {
-              int id = lookup_image (it->f, prop);
+              ptrdiff_t id = lookup_image (it->f, prop);
               struct image *img = IMAGE_FROM_ID (it->f, id);
 
               return OK_PIXELS (width_p ? img->width : img->height);
@@ -22363,7 +22414,7 @@ compute_overhangs_and_x (struct glyph_string *s, int x, int backward_p)
   do {                                                                      \
     int face_id = (row)->glyphs[area][START].face_id;                       \
     struct face *base_face = FACE_FROM_ID (f, face_id);                     \
-    int cmp_id = (row)->glyphs[area][START].u.cmp.id;                       \
+    ptrdiff_t cmp_id = (row)->glyphs[area][START].u.cmp.id;                 \
     struct composition *cmp = composition_table[cmp_id];                    \
     XChar2b *char2b;                                                        \
     struct glyph_string *first_s IF_LINT (= NULL);                          \
diff --git a/src/xfaces.c b/src/xfaces.c
index 52b86638a50..431ca07b8df 100644
--- a/src/xfaces.c
+++ b/src/xfaces.c
@@ -403,7 +403,7 @@ static int next_lface_id;
 /* A vector mapping Lisp face Id's to face names.  */
 
 static Lisp_Object *lface_id_to_name;
-static int lface_id_to_name_size;
+static ptrdiff_t lface_id_to_name_size;
 
 /* TTY color-related functions (defined in tty-colors.el).  */
 
@@ -2682,12 +2682,10 @@ Value is a vector of face attributes.  */)
          The mapping from Lisp face to Lisp face id is given by the
          property `face' of the Lisp face name.  */
       if (next_lface_id == lface_id_to_name_size)
-        {
-          int new_size = max (50, 2 * lface_id_to_name_size);
-          int sz = new_size * sizeof *lface_id_to_name;
-          lface_id_to_name = (Lisp_Object *) xrealloc (lface_id_to_name, sz);
-          lface_id_to_name_size = new_size;
-        }
+        lface_id_to_name =
+          xpalloc (lface_id_to_name, &lface_id_to_name_size, 1,
+                   min (INT_MAX, MOST_POSITIVE_FIXNUM),
+                   sizeof *lface_id_to_name);
 
       lface_id_to_name[next_lface_id] = face;
       Fput (face, Qface, make_number (next_lface_id));
@@ -4428,15 +4426,8 @@ cache_face (struct face_cache *c, struct face *face, unsigned int hash)
   if (i == c->used)
     {
       if (c->used == c->size)
-        {
-          int new_size, sz;
-          new_size = min (2 * c->size, MAX_FACE_ID);
-          if (new_size == c->size)
-            abort ();  /* Alternatives?  ++kfs */
-          sz = new_size * sizeof *c->faces_by_id;
-          c->faces_by_id = (struct face **) xrealloc (c->faces_by_id, sz);
-          c->size = new_size;
-        }
+        c->faces_by_id = xpalloc (c->faces_by_id, &c->size, 1, MAX_FACE_ID,
+                                  sizeof *c->faces_by_id);
       c->used++;
     }
 
diff --git a/src/xfns.c b/src/xfns.c
index eec19b9d275..9a3d5fcda83 100644
--- a/src/xfns.c
+++ b/src/xfns.c
@@ -145,7 +145,8 @@ static Lisp_Object Qcompound_text, Qcancel_timer;
 Lisp_Object Qfont_param;
 
 #if GLYPH_DEBUG
-static int image_cache_refcount, dpyinfo_refcount;
+static ptrdiff_t image_cache_refcount;
+static int dpyinfo_refcount;
 #endif
 
 #if defined (USE_GTK) && defined (HAVE_FREETYPE)
@@ -1470,7 +1471,8 @@ x_set_scroll_bar_background (struct frame *f, Lisp_Object value, Lisp_Object old
    the result should be `COMPOUND_TEXT'.  */
 
 static unsigned char *
-x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp, int *text_bytes, int *stringp, int *freep)
+x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp,
+               ptrdiff_t *text_bytes, int *stringp, int *freep)
 {
   int result = string_xstring_p (string);
   struct coding_system coding;
@@ -1488,8 +1490,8 @@ x_encode_text (Lisp_Object string, Lisp_Object coding_system, int selectionp, in
   coding.mode |= (CODING_MODE_SAFE_ENCODING | CODING_MODE_LAST_BLOCK);
   /* We suppress producing escape sequences for composition.  */
   coding.common_flags &= ~CODING_ANNOTATION_MASK;
+  coding.destination = xnmalloc (SCHARS (string), 2);
   coding.dst_bytes = SCHARS (string) * 2;
-  coding.destination = (unsigned char *) xmalloc (coding.dst_bytes);
   encode_coding_object (&coding, string, 0, 0,
                         SCHARS (string), SBYTES (string), Qnil);
   *text_bytes = coding.produced;
@@ -1511,7 +1513,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
       BLOCK_INPUT;
       {
         XTextProperty text, icon;
-        int bytes, stringp;
+        ptrdiff_t bytes;
+        int stringp;
         int do_free_icon_value = 0, do_free_text_value = 0;
         Lisp_Object coding_system;
         Lisp_Object encoded_name;
@@ -1550,6 +1553,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
                          : FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT);
         text.format = 8;
         text.nitems = bytes;
+        if (text.nitems != bytes)
+          error ("Window name too large");
 
         if (!STRINGP (f->icon_name))
           {
@@ -1565,6 +1570,8 @@ x_set_name_internal (FRAME_PTR f, Lisp_Object name)
                              : FRAME_X_DISPLAY_INFO (f)->Xatom_COMPOUND_TEXT);
             icon.format = 8;
             icon.nitems = bytes;
+            if (icon.nitems != bytes)
+              error ("Icon name too large");
 
             encoded_icon_name = ENCODE_UTF_8 (f->icon_name);
           }
@@ -4193,21 +4200,19 @@ FRAME.  Default is to change on the edit X window.  */)
 
   if (CONSP (value))
     {
+      ptrdiff_t elsize;
+
       nelements = x_check_property_data (value);
       if (nelements == -1)
         error ("Bad data in VALUE, must be number, string or cons");
 
-      if (element_format == 8)
-        data = (unsigned char *) xmalloc (nelements);
-      else if (element_format == 16)
-        data = (unsigned char *) xmalloc (nelements*2);
-      else /* format == 32 */
-        /* The man page for XChangeProperty:
-               "If the specified format is 32, the property data must be a
-                long array."
-           This applies even if long is more than 64 bits.  The X library
-           converts to 32 bits before sending to the X server.  */
-        data = (unsigned char *) xmalloc (nelements * sizeof(long));
+      /* The man page for XChangeProperty:
+             "If the specified format is 32, the property data must be a
+              long array."
+         This applies even if long is more than 32 bits.  The X library
+         converts to 32 bits before sending to the X server.  */
+      elsize = element_format == 32 ? sizeof (long) : element_format >> 3;
+      data = xnmalloc (nelements, elsize);
 
       x_fill_property_data (FRAME_X_DISPLAY (f), value, data, element_format);
     }
@@ -4215,7 +4220,9 @@ FRAME.  Default is to change on the edit X window.  */)
     {
       CHECK_STRING (value);
       data = SDATA (value);
-      nelements = SCHARS (value);
+      if (INT_MAX < SBYTES (value))
+        error ("VALUE too long");
+      nelements = SBYTES (value);
     }
 
   BLOCK_INPUT;
diff --git a/src/xgselect.c b/src/xgselect.c
index 9ccdd37489f..339ec475117 100644
--- a/src/xgselect.c
+++ b/src/xgselect.c
@@ -29,7 +29,7 @@ along with GNU Emacs.  If not, see <http§://www.gnu.org/licenses/>.  */
 #include <setjmp.h>
 
 static GPollFD *gfds;
-static int gfds_size;
+static ptrdiff_t gfds_size;
 
 int
 xg_select (int max_fds, SELECT_TYPE *rfds, SELECT_TYPE *wfds, SELECT_TYPE *efds,
@@ -54,10 +54,9 @@ xg_select (int max_fds, SELECT_TYPE *rfds, SELECT_TYPE *wfds, SELECT_TYPE *efds,
   do {
     if (n_gfds > gfds_size)
       {
-        while (n_gfds > gfds_size)
-          gfds_size *= 2;
         xfree (gfds);
-        gfds = xmalloc (sizeof (*gfds) * gfds_size);
+        gfds = xpalloc (0, &gfds_size, n_gfds - gfds_size, INT_MAX,
+                        sizeof *gfds);
       }
 
     n_gfds = g_main_context_query (context,
diff --git a/src/xrdb.c b/src/xrdb.c
index 6a16e3260bd..63f06738b98 100644
--- a/src/xrdb.c
+++ b/src/xrdb.c
@@ -426,24 +426,22 @@ get_environ_db (void)
 {
   XrmDatabase db;
   char *p;
-  char *path = 0, *home = 0;
-  const char *host;
+  char *path = 0;
 
   if ((p = getenv ("XENVIRONMENT")) == NULL)
     {
-      home = gethomedir ();
-      host = get_system_name ();
-      path = (char *) xmalloc (strlen (home)
-                              + sizeof (".Xdefaults-")
-                              + strlen (host));
-      sprintf (path, "%s%s%s", home, ".Xdefaults-", host);
+      static char const xdefaults[] = ".Xdefaults-";
+      char *home = gethomedir ();
+      char const *host = get_system_name ();
+      ptrdiff_t pathsize = strlen (home) + sizeof xdefaults + strlen (host);
+      path = (char *) xrealloc (home, pathsize);
+      strcat (strcat (path, xdefaults), host);
       p = path;
     }
 
   db = XrmGetFileDatabase (p);
 
   xfree (path);
-  xfree (home);
 
   return db;
 }
diff --git a/src/xselect.c b/src/xselect.c
index f63977a73de..77bda79007c 100644
--- a/src/xselect.c
+++ b/src/xselect.c
@@ -66,22 +66,15 @@ static Lisp_Object wait_for_property_change_unwind (Lisp_Object);
 static void wait_for_property_change (struct prop_location *);
 static Lisp_Object x_get_foreign_selection (Lisp_Object, Lisp_Object,
                                             Lisp_Object, Lisp_Object);
-static void x_get_window_property (Display *, Window, Atom,
-                                   unsigned char **, int *,
-                                   Atom *, int *, unsigned long *, int);
-static void receive_incremental_selection (Display *, Window, Atom,
-                                           Lisp_Object, unsigned,
-                                           unsigned char **, int *,
-                                           Atom *, int *, unsigned long *);
 static Lisp_Object x_get_window_property_as_lisp_data (Display *,
                                                        Window, Atom,
                                                        Lisp_Object, Atom);
 static Lisp_Object selection_data_to_lisp_data (Display *,
                                                 const unsigned char *,
-                                                int, Atom, int);
+                                                ptrdiff_t, Atom, int);
 static void lisp_data_to_selection_data (Display *, Lisp_Object,
                                          unsigned char **, Atom *,
-                                         unsigned *, int *, int *);
+                                         ptrdiff_t *, int *, int *);
 static Lisp_Object clean_local_selection_data (Lisp_Object);
 
 /* Printing traces to stderr.  */
@@ -114,15 +107,39 @@ static Lisp_Object Qcompound_text_with_extensions;
 static Lisp_Object Qforeign_selection;
 static Lisp_Object Qx_lost_selection_functions, Qx_sent_selection_functions;
 
+/* Bytes needed to represent 'long' data.  This is as per libX11; it
+   is not necessarily sizeof (long).  */
+#define X_LONG_SIZE 4
+
+/* Extreme 'short' and 'long' values suitable for libX11.  */
+#define X_SHRT_MAX 0x7fff
+#define X_SHRT_MIN (-1 - X_SHRT_MAX)
+#define X_LONG_MAX 0x7fffffff
+#define X_LONG_MIN (-1 - X_LONG_MAX)
+
 /* If this is a smaller number than the max-request-size of the display,
    emacs will use INCR selection transfer when the selection is larger
    than this.  The max-request-size is usually around 64k, so if you want
    emacs to use incremental selection transfers when the selection is
    smaller than that, set this.  I added this mostly for debugging the
-   incremental transfer stuff, but it might improve server performance.  */
-#define MAX_SELECTION_QUANTUM 0xFFFFFF
+   incremental transfer stuff, but it might improve server performance.
 
-#define SELECTION_QUANTUM(dpy) ((XMaxRequestSize(dpy) << 2) - 100)
+   This value cannot exceed INT_MAX / max (X_LONG_SIZE, sizeof (long))
+   because it is multiplied by X_LONG_SIZE and by sizeof (long) in
+   subscript calculations.  Similarly for PTRDIFF_MAX - 1 or SIZE_MAX
+   - 1 in place of INT_MAX.  */
+#define MAX_SELECTION_QUANTUM                                           \
+  ((int) min (0xFFFFFF, (min (INT_MAX, min (PTRDIFF_MAX, SIZE_MAX) - 1) \
+                         / max (X_LONG_SIZE, sizeof (long)))))
+
+static int
+selection_quantum (Display *display)
+{
+  long mrs = XMaxRequestSize (display);
+  return (mrs < MAX_SELECTION_QUANTUM / X_LONG_SIZE + 25
+          ? (mrs - 25) * X_LONG_SIZE
+          : MAX_SELECTION_QUANTUM);
+}
 
 #define LOCAL_SELECTION(selection_symbol,dpyinfo)                       \
   assq_no_quit (selection_symbol, dpyinfo->terminal->Vselection_alist)
@@ -477,7 +494,7 @@ static struct x_display_info *selection_request_dpyinfo;
 struct selection_data
 {
   unsigned char *data;
-  unsigned int size;
+  ptrdiff_t size;
   int format;
   Atom type;
   int nofree;
@@ -581,14 +598,11 @@ x_reply_selection_request (struct input_event *event, struct x_display_info *dpy
   XSelectionEvent *reply = &(reply_base.xselection);
   Display *display = SELECTION_EVENT_DISPLAY (event);
   Window window = SELECTION_EVENT_REQUESTOR (event);
-  int bytes_remaining;
-  int max_bytes = SELECTION_QUANTUM (display);
+  ptrdiff_t bytes_remaining;
+  int max_bytes = selection_quantum (display);
   int count = SPECPDL_INDEX ();
   struct selection_data *cs;
 
-  if (max_bytes > MAX_SELECTION_QUANTUM)
-    max_bytes = MAX_SELECTION_QUANTUM;
-
   reply->type = SelectionNotify;
   reply->display = display;
   reply->requestor = window;
@@ -616,11 +630,12 @@ x_reply_selection_request (struct input_event *event, struct x_display_info *dpy
       if (cs->property == None)
         continue;
 
-      bytes_remaining = cs->size * (cs->format / 8);
+      bytes_remaining = cs->size;
+      bytes_remaining *= cs->format >> 3;
       if (bytes_remaining <= max_bytes)
         {
           /* Send all the data at once, with minimal handshaking.  */
-          TRACE1 ("Sending all %d bytes", bytes_remaining);
+          TRACE1 ("Sending all %"pD"d bytes", bytes_remaining);
           XChangeProperty (display, window, cs->property,
                            cs->type, cs->format, PropModeReplace,
                            cs->data, cs->size);
@@ -630,7 +645,7 @@ x_reply_selection_request (struct input_event *event, struct x_display_info *dpy
           /* Send an INCR tag to initiate incremental transfer.  */
           long value[1];
 
-          TRACE2 ("Start sending %d bytes incrementally (%s)",
+          TRACE2 ("Start sending %"pD"d bytes incrementally (%s)",
                   bytes_remaining, XGetAtomName (display, cs->property));
           cs->wait_object
             = expect_property_change (display, window, cs->property,
@@ -638,7 +653,7 @@ x_reply_selection_request (struct input_event *event, struct x_display_info *dpy
 
           /* XChangeProperty expects an array of long even if long is
              more than 32 bits.  */
-          value[0] = bytes_remaining;
+          value[0] = min (bytes_remaining, X_LONG_MAX);
           XChangeProperty (display, window, cs->property,
                            dpyinfo->Xatom_INCR, 32, PropModeReplace,
                            (unsigned char *) value, 1);
@@ -672,7 +687,8 @@ x_reply_selection_request (struct input_event *event, struct x_display_info *dpy
         int had_errors = x_had_errors_p (display);
         UNBLOCK_INPUT;
 
-        bytes_remaining = cs->size * format_bytes;
+        bytes_remaining = cs->size;
+        bytes_remaining *= format_bytes;
 
         /* Wait for the requester to ack by deleting the property.
            This can run Lisp code (process handlers) or signal.  */
@@ -810,7 +826,7 @@ x_handle_selection_request (struct input_event *event)
          non-None property.  */
       Window requestor = SELECTION_EVENT_REQUESTOR (event);
       Lisp_Object multprop;
-      int j, nselections;
+      ptrdiff_t j, nselections;
 
       if (property == None) goto DONE;
       multprop
@@ -1269,19 +1285,28 @@ x_get_foreign_selection (Lisp_Object selection_symbol, Lisp_Object target_type,
 
 static void
 x_get_window_property (Display *display, Window window, Atom property,
-                       unsigned char **data_ret, int *bytes_ret,
+                       unsigned char **data_ret, ptrdiff_t *bytes_ret,
                        Atom *actual_type_ret, int *actual_format_ret,
                        unsigned long *actual_size_ret, int delete_p)
 {
-  int total_size;
+  ptrdiff_t total_size;
   unsigned long bytes_remaining;
-  int offset = 0;
+  ptrdiff_t offset = 0;
+  unsigned char *data = 0;
   unsigned char *tmp_data = 0;
   int result;
-  int buffer_size = SELECTION_QUANTUM (display);
+  int buffer_size = selection_quantum (display);
+
+  /* Wide enough to avoid overflow in expressions using it.  */
+  ptrdiff_t x_long_size = X_LONG_SIZE;
 
-  if (buffer_size > MAX_SELECTION_QUANTUM)
-    buffer_size = MAX_SELECTION_QUANTUM;
+  /* Maximum value for TOTAL_SIZE.  It cannot exceed PTRDIFF_MAX - 1
+     and SIZE_MAX - 1, for an extra byte at the end.  And it cannot
+     exceed LONG_MAX * X_LONG_SIZE, for XGetWindowProperty.  */
+  ptrdiff_t total_size_max =
+    ((min (PTRDIFF_MAX, SIZE_MAX) - 1) / x_long_size < LONG_MAX
+     ? min (PTRDIFF_MAX, SIZE_MAX) - 1
+     : LONG_MAX * x_long_size);
 
   BLOCK_INPUT;
 
@@ -1292,49 +1317,44 @@ x_get_window_property (Display *display, Window window, Atom property,
                                actual_size_ret,
                                &bytes_remaining, &tmp_data);
   if (result != Success)
-    {
-      UNBLOCK_INPUT;
-      *data_ret = 0;
-      *bytes_ret = 0;
-      return;
-    }
+    goto done;
 
   /* This was allocated by Xlib, so use XFree.  */
   XFree ((char *) tmp_data);
 
   if (*actual_type_ret == None || *actual_format_ret == 0)
-    {
-      UNBLOCK_INPUT;
-      return;
-    }
+    goto done;
 
-  total_size = bytes_remaining + 1;
-  *data_ret = (unsigned char *) xmalloc (total_size);
+  if (total_size_max < bytes_remaining)
+    goto size_overflow;
+  total_size = bytes_remaining;
+  data = malloc (total_size + 1);
+  if (! data)
+    goto memory_exhausted;
 
   /* Now read, until we've gotten it all.  */
   while (bytes_remaining)
     {
-#ifdef TRACE_SELECTION
-      unsigned long last = bytes_remaining;
-#endif
+      ptrdiff_t bytes_gotten;
+      int bytes_per_item;
       result
         = XGetWindowProperty (display, window, property,
-                              (long)offset/4, (long)buffer_size/4,
+                              offset / X_LONG_SIZE,
+                              buffer_size / X_LONG_SIZE,
                               False,
                               AnyPropertyType,
                               actual_type_ret, actual_format_ret,
                               actual_size_ret, &bytes_remaining, &tmp_data);
 
-      TRACE2 ("Read %lu bytes from property %s",
-              last - bytes_remaining,
-              XGetAtomName (display, property));
-
       /* If this doesn't return Success at this point, it means that
          some clod deleted the selection while we were in the midst of
          reading it.  Deal with that, I guess.... */
       if (result != Success)
         break;
 
+      bytes_per_item = *actual_format_ret >> 3;
+      xassert (*actual_size_ret <= buffer_size / bytes_per_item);
+
       /* The man page for XGetWindowProperty says:
          "If the returned format is 32, the returned data is represented
           as a long array and should be cast to that type to obtain the
@@ -1348,32 +1368,61 @@ x_get_window_property (Display *display, Window window, Atom property,
          The bytes and offsets passed to XGetWindowProperty refers to the
          property and those are indeed in 32 bit quantities if format is 32.  */
 
+      bytes_gotten = *actual_size_ret;
+      bytes_gotten *= bytes_per_item;
+
+      TRACE2 ("Read %"pD"d bytes from property %s",
+              bytes_gotten, XGetAtomName (display, property));
+
+      if (total_size - offset < bytes_gotten)
+        {
+          unsigned char *data1;
+          ptrdiff_t remaining_lim = total_size_max - offset - bytes_gotten;
+          if (remaining_lim < 0 || remaining_lim < bytes_remaining)
+            goto size_overflow;
+          total_size = offset + bytes_gotten + bytes_remaining;
+          data1 = realloc (data, total_size + 1);
+          if (! data1)
+            goto memory_exhausted;
+          data = data1;
+        }
+
       if (32 < BITS_PER_LONG && *actual_format_ret == 32)
         {
           unsigned long i;
-          int  *idata = (int *) ((*data_ret) + offset);
+          int  *idata = (int *) (data + offset);
           long *ldata = (long *) tmp_data;
 
           for (i = 0; i < *actual_size_ret; ++i)
-            {
-              idata[i]= (int) ldata[i];
-              offset += 4;
-            }
+            idata[i] = ldata[i];
         }
       else
-        {
-          *actual_size_ret *= *actual_format_ret / 8;
-          memcpy ((*data_ret) + offset, tmp_data, *actual_size_ret);
-          offset += *actual_size_ret;
-        }
+        memcpy (data + offset, tmp_data, bytes_gotten);
+
+      offset += bytes_gotten;
 
       /* This was allocated by Xlib, so use XFree.  */
       XFree ((char *) tmp_data);
     }
 
   XFlush (display);
+  data[offset] = '\0';
+
+ done:
   UNBLOCK_INPUT;
+  *data_ret = data;
   *bytes_ret = offset;
+  return;
+
+ size_overflow:
+  free (data);
+  UNBLOCK_INPUT;
+  memory_full (SIZE_MAX);
+
+ memory_exhausted:
+  free (data);
+  UNBLOCK_INPUT;
+  memory_full (total_size + 1);
 }
 
 /* Use xfree, not XFree, to free the data obtained with this function.  */
@@ -1382,16 +1431,19 @@ static void
 receive_incremental_selection (Display *display, Window window, Atom property,
                                Lisp_Object target_type,
                                unsigned int min_size_bytes,
-                               unsigned char **data_ret, int *size_bytes_ret,
+                               unsigned char **data_ret,
+                               ptrdiff_t *size_bytes_ret,
                                Atom *type_ret, int *format_ret,
                                unsigned long *size_ret)
 {
-  int offset = 0;
+  ptrdiff_t offset = 0;
   struct prop_location *wait_object;
+  if (min (PTRDIFF_MAX, SIZE_MAX) < min_size_bytes)
+    memory_full (SIZE_MAX);
+  *data_ret = (unsigned char *) xmalloc (min_size_bytes);
   *size_bytes_ret = min_size_bytes;
-  *data_ret = (unsigned char *) xmalloc (*size_bytes_ret);
 
-  TRACE1 ("Read %d bytes incrementally", min_size_bytes);
+  TRACE1 ("Read %u bytes incrementally", min_size_bytes);
 
   /* At this point, we have read an INCR property.
      Delete the property to ack it.
@@ -1416,7 +1468,7 @@ receive_incremental_selection (Display *display, Window window, Atom property,
   while (1)
     {
       unsigned char *tmp_data;
-      int tmp_size_bytes;
+      ptrdiff_t tmp_size_bytes;
 
       TRACE0 ("  Wait for property change");
       wait_for_property_change (wait_object);
@@ -1429,7 +1481,7 @@ receive_incremental_selection (Display *display, Window window, Atom property,
                              &tmp_data, &tmp_size_bytes,
                              type_ret, format_ret, size_ret, 1);
 
-      TRACE1 ("  Read increment of %d bytes", tmp_size_bytes);
+      TRACE1 ("  Read increment of %"pD"d bytes", tmp_size_bytes);
 
       if (tmp_size_bytes == 0) /* we're done */
         {
@@ -1452,11 +1504,10 @@ receive_incremental_selection (Display *display, Window window, Atom property,
       XFlush (display);
       UNBLOCK_INPUT;
 
-      if (*size_bytes_ret < offset + tmp_size_bytes)
-        {
-          *size_bytes_ret = offset + tmp_size_bytes;
-          *data_ret = (unsigned char *) xrealloc (*data_ret, *size_bytes_ret);
-        }
+      if (*size_bytes_ret - offset < tmp_size_bytes)
+        *data_ret = xpalloc (*data_ret, size_bytes_ret,
+                             tmp_size_bytes - (*size_bytes_ret - offset),
+                             -1, 1);
 
       memcpy ((*data_ret) + offset, tmp_data, tmp_size_bytes);
       offset += tmp_size_bytes;
@@ -1482,7 +1533,7 @@ x_get_window_property_as_lisp_data (Display *display, Window window,
   int actual_format;
   unsigned long actual_size;
   unsigned char *data = 0;
-  int bytes = 0;
+  ptrdiff_t bytes = 0;
   Lisp_Object val;
   struct x_display_info *dpyinfo = x_display_info_for_display (display);
 
@@ -1574,7 +1625,7 @@ x_get_window_property_as_lisp_data (Display *display, Window window,
 
 static Lisp_Object
 selection_data_to_lisp_data (Display *display, const unsigned char *data,
-                             int size, Atom type, int format)
+                             ptrdiff_t size, Atom type, int format)
 {
   struct x_display_info *dpyinfo = x_display_info_for_display (display);
 
@@ -1607,7 +1658,7 @@ selection_data_to_lisp_data (Display *display, const unsigned char *data,
            /* Treat ATOM_PAIR type similar to list of atoms.  */
            || type == dpyinfo->Xatom_ATOM_PAIR)
     {
-      int i;
+      ptrdiff_t i;
       /* On a 64 bit machine sizeof(Atom) == sizeof(long) == 8.
          But the callers of these function has made sure the data for
          format == 32 is an array of int.  Thus, use int instead
@@ -1634,28 +1685,29 @@ selection_data_to_lisp_data (Display *display, const unsigned char *data,
   else if (format == 32 && size == sizeof (int))
     return INTEGER_TO_CONS (((unsigned int *) data) [0]);
   else if (format == 16 && size == sizeof (short))
-    return make_number ((int) (((unsigned short *) data) [0]));
+    return make_number (((unsigned short *) data) [0]);
 
   /* Convert any other kind of data to a vector of numbers, represented
      as above (as an integer, or a cons of two 16 bit integers.)
    */
   else if (format == 16)
     {
-      int i;
+      ptrdiff_t i;
       Lisp_Object v;
       v = Fmake_vector (make_number (size / 2), make_number (0));
       for (i = 0; i < size / 2; i++)
         {
-          int j = (int) ((unsigned short *) data) [i];
+          EMACS_INT j = ((unsigned short *) data) [i];
           Faset (v, make_number (i), make_number (j));
         }
       return v;
     }
   else
     {
-      int i;
-      Lisp_Object v = Fmake_vector (make_number (size / 4), make_number (0));
-      for (i = 0; i < size / 4; i++)
+      ptrdiff_t i;
+      Lisp_Object v = Fmake_vector (make_number (size / X_LONG_SIZE),
+                                    make_number (0));
+      for (i = 0; i < size / X_LONG_SIZE; i++)
         {
           unsigned int j = ((unsigned int *) data) [i];
           Faset (v, make_number (i), INTEGER_TO_CONS (j));
@@ -1670,7 +1722,7 @@ selection_data_to_lisp_data (Display *display, const unsigned char *data,
 static void
 lisp_data_to_selection_data (Display *display, Lisp_Object obj,
                              unsigned char **data_ret, Atom *type_ret,
-                             unsigned int *size_ret,
+                             ptrdiff_t *size_ret,
                              int *format_ret, int *nofree_ret)
 {
   Lisp_Object type = Qnil;
@@ -1707,22 +1759,20 @@ lisp_data_to_selection_data (Display *display, Lisp_Object obj,
     }
   else if (SYMBOLP (obj))
     {
+      *data_ret = (unsigned char *) xmalloc (sizeof (Atom) + 1);
       *format_ret = 32;
       *size_ret = 1;
-      *data_ret = (unsigned char *) xmalloc (sizeof (Atom) + 1);
       (*data_ret) [sizeof (Atom)] = 0;
       (*(Atom **) data_ret) [0] = symbol_to_x_atom (dpyinfo, obj);
       if (NILP (type)) type = QATOM;
     }
-  else if (INTEGERP (obj)
-           && XINT (obj) < 0xFFFF
-           && XINT (obj) > -0xFFFF)
+  else if (RANGED_INTEGERP (X_SHRT_MIN, obj, X_SHRT_MAX))
     {
+      *data_ret = (unsigned char *) xmalloc (sizeof (short) + 1);
       *format_ret = 16;
       *size_ret = 1;
-      *data_ret = (unsigned char *) xmalloc (sizeof (short) + 1);
       (*data_ret) [sizeof (short)] = 0;
-      (*(short **) data_ret) [0] = (short) XINT (obj);
+      (*(short **) data_ret) [0] = XINT (obj);
       if (NILP (type)) type = QINTEGER;
     }
   else if (INTEGERP (obj)
@@ -1731,11 +1781,11 @@ lisp_data_to_selection_data (Display *display, Lisp_Object obj,
                    || (CONSP (XCDR (obj))
                        && INTEGERP (XCAR (XCDR (obj)))))))
     {
+      *data_ret = (unsigned char *) xmalloc (sizeof (long) + 1);
       *format_ret = 32;
       *size_ret = 1;
-      *data_ret = (unsigned char *) xmalloc (sizeof (long) + 1);
       (*data_ret) [sizeof (long)] = 0;
-      (*(unsigned long **) data_ret) [0] = cons_to_unsigned (obj, ULONG_MAX);
+      (*(long **) data_ret) [0] = cons_to_signed (obj, X_LONG_MIN, X_LONG_MAX);
       if (NILP (type)) type = QINTEGER;
     }
   else if (VECTORP (obj))
@@ -1744,50 +1794,55 @@ lisp_data_to_selection_data (Display *display, Lisp_Object obj,
          a set of 16 or 32 bit INTEGERs;
          or a set of ATOM_PAIRs (represented as [[A1 A2] [A3 A4] ...]
        */
-      int i;
+      ptrdiff_t i;
+      ptrdiff_t size = ASIZE (obj);
 
       if (SYMBOLP (XVECTOR (obj)->contents [0]))
         /* This vector is an ATOM set */
         {
           if (NILP (type)) type = QATOM;
-          *size_ret = ASIZE (obj);
-          *format_ret = 32;
-          for (i = 0; i < *size_ret; i++)
+          for (i = 0; i < size; i++)
             if (!SYMBOLP (XVECTOR (obj)->contents [i]))
               signal_error ("All elements of selection vector must have same type", obj);
 
-          *data_ret = (unsigned char *) xmalloc ((*size_ret) * sizeof (Atom));
-          for (i = 0; i < *size_ret; i++)
+          *data_ret = xnmalloc (size, sizeof (Atom));
+          *format_ret = 32;
+          *size_ret = size;
+          for (i = 0; i < size; i++)
             (*(Atom **) data_ret) [i]
               = symbol_to_x_atom (dpyinfo, XVECTOR (obj)->contents [i]);
         }
       else
         /* This vector is an INTEGER set, or something like it */
         {
-          int data_size = 2;
-          *size_ret = ASIZE (obj);
+          int format = 16;
+          int data_size = sizeof (short);
           if (NILP (type)) type = QINTEGER;
-          *format_ret = 16;
-          for (i = 0; i < *size_ret; i++)
-            if (CONSP (XVECTOR (obj)->contents [i]))
-              *format_ret = 32;
-            else if (!INTEGERP (XVECTOR (obj)->contents [i]))
-              signal_error (/* Qselection_error */
-    "Elements of selection vector must be integers or conses of integers",
-                            obj);
-
-          /* Use sizeof(long) even if it is more than 32 bits.  See comment
-             in x_get_window_property and x_fill_property_data.  */
-
-          if (*format_ret == 32) data_size = sizeof(long);
-          *data_ret = (unsigned char *) xmalloc (*size_ret * data_size);
-          for (i = 0; i < *size_ret; i++)
-            if (*format_ret == 32)
-              (*((unsigned long **) data_ret)) [i] =
-                cons_to_unsigned (XVECTOR (obj)->contents [i], ULONG_MAX);
-            else
-              (*((unsigned short **) data_ret)) [i] =
-                cons_to_unsigned (XVECTOR (obj)->contents [i], USHRT_MAX);
+          for (i = 0; i < size; i++)
+            {
+              intmax_t v = cons_to_signed (XVECTOR (obj)->contents[i],
+                                           X_LONG_MIN, X_LONG_MAX);
+              if (X_SHRT_MIN <= v && v <= X_SHRT_MAX)
+                {
+                  /* Use sizeof (long) even if it is more than 32 bits.
+                     See comment in x_get_window_property and
+                     x_fill_property_data.  */
+                  data_size = sizeof (long);
+                  format = 32;
+                }
+            }
+          *data_ret = xnmalloc (size, data_size);
+          *format_ret = format;
+          *size_ret = size;
+          for (i = 0; i < size; i++)
+            {
+              long v = cons_to_signed (XVECTOR (obj)->contents[i],
+                                       X_LONG_MIN, X_LONG_MAX);
+              if (format == 32)
+                (*((long **) data_ret)) [i] = v;
+              else
+                (*((short **) data_ret)) [i] = v;
+            }
         }
     }
   else
@@ -1817,8 +1872,8 @@ clean_local_selection_data (Lisp_Object obj)
     }
   if (VECTORP (obj))
     {
-      int i;
-      int size = ASIZE (obj);
+      ptrdiff_t i;
+      ptrdiff_t size = ASIZE (obj);
       Lisp_Object copy;
       if (size == 1)
         return clean_local_selection_data (XVECTOR (obj)->contents [0]);
@@ -2213,6 +2268,8 @@ x_check_property_data (Lisp_Object data)
       else if (CONSP (o) &&
                (! NUMBERP (XCAR (o)) || ! NUMBERP (XCDR (o))))
         return -1;
+      if (size == INT_MAX)
+        return -1;
       size++;
     }
 
@@ -2294,8 +2351,11 @@ Lisp_Object
 x_property_data_to_lisp (struct frame *f, const unsigned char *data,
                          Atom type, int format, long unsigned int size)
 {
+  ptrdiff_t format_bytes = format >> 3;
+  if (PTRDIFF_MAX / format_bytes < size)
+    memory_full (SIZE_MAX);
   return selection_data_to_lisp_data (FRAME_X_DISPLAY (f),
-                                      data, size*format/8, type, format);
+                                      data, size * format_bytes, type, format);
 }
 
 /* Get the mouse position in frame relative coordinates.  */
@@ -2401,15 +2461,9 @@ FRAME is on.  If FRAME is nil, the selected frame is used.  */)
       return Qnil;
 
   if (dpyinfo->x_dnd_atoms_length == dpyinfo->x_dnd_atoms_size)
-    {
-      if (min (PTRDIFF_MAX, SIZE_MAX) / sizeof *dpyinfo->x_dnd_atoms / 2
-          < dpyinfo->x_dnd_atoms_size)
-        memory_full (SIZE_MAX);
-      dpyinfo->x_dnd_atoms_size *= 2;
-      dpyinfo->x_dnd_atoms = xrealloc (dpyinfo->x_dnd_atoms,
-                                       sizeof (*dpyinfo->x_dnd_atoms)
-                                       * dpyinfo->x_dnd_atoms_size);
-    }
+    dpyinfo->x_dnd_atoms =
+      xpalloc (dpyinfo->x_dnd_atoms, &dpyinfo->x_dnd_atoms_size,
+               1, -1, sizeof *dpyinfo->x_dnd_atoms);
 
   dpyinfo->x_dnd_atoms[dpyinfo->x_dnd_atoms_length++] = x_atom;
   return Qnil;
@@ -2444,7 +2498,7 @@ x_handle_dnd_message (struct frame *f, XClientMessageEvent *event, struct x_disp
   if (32 < BITS_PER_LONG && event->format == 32)
     {
       for (i = 0; i < 5; ++i) /* There are only 5 longs in a ClientMessage. */
-        idata[i] = (int) event->data.l[i];
+        idata[i] = event->data.l[i];
       data = (unsigned char *) idata;
     }
 
diff --git a/src/xsmfns.c b/src/xsmfns.c
index cb56ae648d1..55daec73307 100644
--- a/src/xsmfns.c
+++ b/src/xsmfns.c
@@ -223,9 +223,11 @@ smc_save_yourself_CB (SmcConn smcConn,
   props[props_idx]->name = xstrdup (SmRestartCommand);
   props[props_idx]->type = xstrdup (SmLISTofARRAY8);
   /* /path/to/emacs, --smid=xxx --no-splash --chdir=dir ... */
+  if (INT_MAX - 3 < initial_argc)
+    memory_full (SIZE_MAX);
   i = 3 + initial_argc;
   props[props_idx]->num_vals = i;
-  vp = (SmPropValue *) xmalloc (i * sizeof(*vp));
+  vp = xnmalloc (i, sizeof *vp);
   props[props_idx]->vals = vp;
   props[props_idx]->vals[vp_idx].length = strlen (emacs_program);
   props[props_idx]->vals[vp_idx++].value = emacs_program;
diff --git a/src/xterm.c b/src/xterm.c
index cefb98a476d..be456a61a6f 100644
--- a/src/xterm.c
+++ b/src/xterm.c
@@ -1662,19 +1662,18 @@ x_color_cells (Display *dpy, int *ncells)
   if (dpyinfo->color_cells == NULL)
     {
       Screen *screen = dpyinfo->screen;
+      int ncolor_cells = XDisplayCells (dpy, XScreenNumberOfScreen (screen));
       int i;
 
-      dpyinfo->ncolor_cells
-        = XDisplayCells (dpy, XScreenNumberOfScreen (screen));
-      dpyinfo->color_cells
-        = (XColor *) xmalloc (dpyinfo->ncolor_cells
-                              * sizeof *dpyinfo->color_cells);
+      dpyinfo->color_cells = xnmalloc (ncolor_cells,
+                                       sizeof *dpyinfo->color_cells);
+      dpyinfo->ncolor_cells = ncolor_cells;
 
-      for (i = 0; i < dpyinfo->ncolor_cells; ++i)
+      for (i = 0; i < ncolor_cells; ++i)
         dpyinfo->color_cells[i].pixel = i;
 
       XQueryColors (dpy, dpyinfo->cmap,
-                    dpyinfo->color_cells, dpyinfo->ncolor_cells);
+                    dpyinfo->color_cells, ncolor_cells);
     }
 
   *ncells = dpyinfo->ncolor_cells;
@@ -4233,7 +4232,7 @@ xt_action_hook (Widget widget, XtPointer client_data, String action_name,
    x_send_scroll_bar_event and x_scroll_bar_to_input_event.  */
 
 static struct window **scroll_bar_windows;
-static size_t scroll_bar_windows_size;
+static ptrdiff_t scroll_bar_windows_size;
 
 
 /* Send a client message with message type Xatom_Scrollbar for a
@@ -4248,7 +4247,7 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
   XClientMessageEvent *ev = (XClientMessageEvent *) &event;
   struct window *w = XWINDOW (window);
   struct frame *f = XFRAME (w->frame);
-  size_t i;
+  ptrdiff_t i;
 
   BLOCK_INPUT;
 
@@ -4269,16 +4268,15 @@ x_send_scroll_bar_event (Lisp_Object window, int part, int portion, int whole)
 
   if (i == scroll_bar_windows_size)
     {
-      size_t new_size = max (10, 2 * scroll_bar_windows_size);
-      size_t nbytes = new_size * sizeof *scroll_bar_windows;
-      size_t old_nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;
-
-      if ((size_t) -1 / sizeof *scroll_bar_windows < new_size)
-        memory_full (SIZE_MAX);
-      scroll_bar_windows = (struct window **) xrealloc (scroll_bar_windows,
-                                                        nbytes);
+      ptrdiff_t old_nbytes =
+        scroll_bar_windows_size * sizeof *scroll_bar_windows;
+      ptrdiff_t nbytes;
+      enum { XClientMessageEvent_MAX = 0x7fffffff };
+      scroll_bar_windows =
+        xpalloc (scroll_bar_windows, &scroll_bar_windows_size, 1,
+                 XClientMessageEvent_MAX, sizeof *scroll_bar_windows);
+      nbytes = scroll_bar_windows_size * sizeof *scroll_bar_windows;
       memset (&scroll_bar_windows[i], 0, nbytes - old_nbytes);
-      scroll_bar_windows_size = new_size;
     }
 
   scroll_bar_windows[i] = w;
@@ -5856,11 +5854,12 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
   } inev;
   int count = 0;
   int do_help = 0;
-  int nbytes = 0;
+  ptrdiff_t nbytes = 0;
   struct frame *f = NULL;
   struct coding_system coding;
   XEvent event = *eventptr;
   Mouse_HLInfo *hlinfo = &dpyinfo->mouse_highlight;
+  USE_SAFE_ALLOCA;
 
   *finish = X_EVENT_NORMAL;
 
@@ -6556,7 +6555,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
             }
 
           {     /* Raw bytes, not keysym.  */
-            register int i;
+            ptrdiff_t i;
             int nchars, len;
 
             for (i = 0, nchars = 0; i < nbytes; i++)
@@ -6569,7 +6568,6 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
             if (nchars < nbytes)
               {
                 /* Decode the input data.  */
-                int require;
 
                 /* The input should be decoded with `coding_system'
                    which depends on which X*LookupString function
@@ -6582,9 +6580,9 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
                    gives us composition information.  */
                 coding.common_flags &= ~CODING_ANNOTATION_MASK;
 
-                require = MAX_MULTIBYTE_LENGTH * nbytes;
-                coding.destination = alloca (require);
-                coding.dst_bytes = require;
+                SAFE_NALLOCA (coding.destination, MAX_MULTIBYTE_LENGTH,
+                              nbytes);
+                coding.dst_bytes = MAX_MULTIBYTE_LENGTH * nbytes;
                 coding.mode |= CODING_MODE_LAST_BLOCK;
                 decode_coding_c_string (&coding, copy_bufptr, nbytes, Qnil);
                 nbytes = coding.produced;
@@ -7043,6 +7041,7 @@ handle_one_xevent (struct x_display_info *dpyinfo, XEvent *eventptr,
       count++;
     }
 
+  SAFE_FREE ();
   *eventptr = event;
   return count;
 }
@@ -9872,6 +9871,7 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name)
   struct x_display_info *dpyinfo;
   XrmDatabase xrdb;
   Mouse_HLInfo *hlinfo;
+  ptrdiff_t lim;
 
   BLOCK_INPUT;
 
@@ -10094,12 +10094,15 @@ x_term_init (Lisp_Object display_name, char *xrm_option, char *resource_name)
   XSetAfterFunction (x_current_display, x_trace_wire);
 #endif /* ! 0 */
 
+  lim = min (PTRDIFF_MAX, SIZE_MAX) - sizeof "@";
+  if (lim - SBYTES (Vinvocation_name) < SBYTES (Vsystem_name))
+    memory_full (SIZE_MAX);
   dpyinfo->x_id_name
     = (char *) xmalloc (SBYTES (Vinvocation_name)
                         + SBYTES (Vsystem_name)
                         + 2);
-  sprintf (dpyinfo->x_id_name, "%s@%s",
-           SSDATA (Vinvocation_name), SSDATA (Vsystem_name));
+  strcat (strcat (strcpy (dpyinfo->x_id_name, SSDATA (Vinvocation_name)), "@"),
+          SSDATA (Vsystem_name));
 
   /* Figure out which modifier bits mean what.  */
   x_find_modifier_meanings (dpyinfo);