GHSA-gj94-v4p9-w672: Denial-of-service vulnerability processing large chat messages containing many newlines

PocketMine-MP caps maximum chat message length at 512 Unicode characters, or about 2048 bytes. No more than 2 chat messages may be sent per tick. However, due to legacy reasons, incoming chat message blobs are split by \n, and each part is treated as a separate message, the length of each part is individually checked. The length of the whole message is not checked.

This leads to an exploitable performance issue, in which a malicious client may send a chat packet of several megabytes containing nothing but \n newline characters. The server will parse this into a very large array and spend a long time (several milliseconds) iterating over it for no reason.

Furthermore, due to the lack of sufficient rate limit checks before parsing messages, malicious clients may bombard the server with many thousands of these malicious messages, causing lockups for a significant amount of time (seconds or minutes).