Make SimplifyWalker::SimplifyRepeat() use Regexp::Concat().

This builds a two-level tree for very large numbers of
subexpressions. When min is greater than 65535 due to
coalescing, for example.

This bug was discovered by the LLVM fuzzer.

Change-Id: I7e21d24f6546b9d8f3a3d844e0ed5c6af246aa1e
Reviewed-on: https://code-review.googlesource.com/9890
Reviewed-by: Paul Wankadia <junyer@google.com>

re2/simplify.cc

diff --git a/re2/simplify.cc b/re2/simplify.cc
index 06f0386..910ebcc 100644
--- a/re2/simplify.cc
+++ b/re2/simplify.cc
@@ -589,12 +589,12 @@
       return Regexp::Plus(re->Incref(), f);
 
     // General case: x{4,} is xxxx+
-    Regexp* nre = new Regexp(kRegexpConcat, f);
-    nre->AllocSub(min);
-    Regexp** nre_subs = nre->sub();
+    Regexp** nre_subs = new Regexp*[min];
     for (int i = 0; i < min-1; i++)
       nre_subs[i] = re->Incref();
     nre_subs[min-1] = Regexp::Plus(re->Incref(), f);
+    Regexp* nre = Regexp::Concat(nre_subs, min, f);
+    delete[] nre_subs;
     return nre;
   }
 
@@ -613,11 +613,11 @@
   // Build leading prefix: xx.  Capturing only on the last one.
   Regexp* nre = NULL;
   if (min > 0) {
-    nre = new Regexp(kRegexpConcat, f);
-    nre->AllocSub(min);
-    Regexp** nre_subs = nre->sub();
+    Regexp** nre_subs = new Regexp*[min];
     for (int i = 0; i < min; i++)
       nre_subs[i] = re->Incref();
+    nre = Regexp::Concat(nre_subs, min, f);
+    delete[] nre_subs;
   }
 
   // Build and attach suffix: (x(x(x)?)?)?