From 7cf983cb03d600ea16b3f186ab76b215b53dc4c6 Mon Sep 17 00:00:00 2001
From: CosmicAlpha <cosmic.alpha24@gmail.com>
Date: Sun, 12 Mar 2023 13:18:38 -0600
Subject: [PATCH] Only check for buffer overflow (#223)

The other regex validation seems unnecessary.
---
 CHANGELOG.md       | 3 ++-
 includes/Hooks.php | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85c0932..af8830d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -810,4 +810,5 @@ Many thanks to GreenReaper on GitHub for reporting and finding issues with core
 
 # Version 3.5.2
 * Added support for PHP 8.0 and PHP 8.1
-* Added additional ReDoS security validation for `dplreplace` and enabled the `SecurityCheck-ReDoS` phan check
+* Enabled the `SecurityCheck-ReDoS` phan check
+* Added buffer overflow check for `dplreplace`
diff --git a/includes/Hooks.php b/includes/Hooks.php
index c1b970e..7f768cb 100644
--- a/includes/Hooks.php
+++ b/includes/Hooks.php
@@ -376,8 +376,8 @@ class Hooks {
 			$pat = '`' . str_replace( '`', '\`', $pat ) . '`';
 		}
 
-		// check for dangerous patterns
-		if ( preg_match( '/(\(\?[:\!R0])|(\\\d)|(\\{\\d+\\,\\d+\\})|(\\[.*\\])|(\\?=)|(\\?!)|(\\?<=)|(\\?<!)/', $pat ) ) {
+		// Check for buffer overflow
+		if ( strlen( $pat ) > 1000 ) {
 			return '';
 		}