vim-patch:9.1.0689: [security]: buffer-overflow in do_search() with 'rightleft'

Problem:  buffer-overflow in do_search() with 'rightleft'
          (SuyueGuo)
Solution: after reversing the text (which allocates a new buffer),
          re-calculate the text length

Github Advisory:
https://github.com/vim/vim/security/advisories/GHSA-v2x2-cjcg-f9jm

cacb6693c1

Add missing change from patch 8.1.1270.
Omit `call delete('Untitled')`: moved again in patch 9.1.0695.

Co-authored-by: Christian Brabandt <cb@256bit.org>

src/nvim/search.c

@@ -1282,9 +1282,10 @@ int do_search(oparg_T *oap, int dirc, int search_delim, char *pat, size_t patlen
         // it would be blanked out again very soon.  Show it on the
         // left, but do reverse the text.
         if (curwin->w_p_rl && *curwin->w_p_rlc == 's') {
-          char *r = reverse_text(trunc != NULL ? trunc : msgbuf);
+          char *r = reverse_text(msgbuf);
           xfree(msgbuf);
           msgbuf = r;
+          msgbuflen = strlen(msgbuf);
           // move reversed text to beginning of buffer
           while (*r == ' ') {
             r++;

test/old/testdir/test_crash.vim

@@ -150,6 +150,13 @@ func Test_crash1_2()
     \ ' ; echo "crash 4: [OK]" >> '.. result .. "\<cr>")
   call TermWait(buf, 150)
 
+  let file = 'crash/reverse_text_overflow'
+  let cmn_args = "%s -u NONE -i NONE -n -X -m -n -e -s -S %s -c ':qa!'"
+  let args = printf(cmn_args, vim, file)
+  call term_sendkeys(buf, args ..
+    \ ' ; echo "crash 5: [OK]" >> '.. result .. "\<cr>")
+  call TermWait(buf, 150)
+
   " clean up
   exe buf .. "bw!"
   exe "sp " .. result
@@ -158,6 +165,7 @@ func Test_crash1_2()
       \ 'crash 2: [OK]',
       \ 'crash 3: [OK]',
       \ 'crash 4: [OK]',
+      \ 'crash 5: [OK]',
       \ ]
 
   call assert_equal(expected, getline(1, '$'))