After trying to think of ways this might go wrong, I realized that there's a danger that the calling function might implicitly cast the return value to a larger type (ie unsigned int to unsigned long long). Then checking if that value == -1 will be false.
The safer option is to explicitly use size_t.max as the sentinel value. I'm always uncomfortable with changing between signed and unsigned types. Sometimes I think the more reasonable approach is to just make everything signed (like Java does).