Merge pull request #5912 from radarhere/fix-pdf-redos-carriage-return

Exclude carriage return in PDF regex to help prevent ReDoS
python-pillow · Dec 28, 2021 · 43b800d · 43b800d
2 parents 282d825 + dd80493
commit 43b800d
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/Tests/test_file_pdf.py b/Tests/test_file_pdf.py
@@ -313,8 +313,9 @@ def test_pdf_append_to_bytesio():
 
 
 @pytest.mark.timeout(1)
-def test_redos():
-    malicious = b" trailer<<>>" + b"\n" * 3456
+@pytest.mark.parametrize("newline", (b"\r", b"\n"))
+def test_redos(newline):
+    malicious = b" trailer<<>>" + newline * 3456
 
     # This particular exception isn't relevant here.
     # The important thing is it doesn't timeout, cause a ReDoS (CVE-2021-25292).

diff --git a/src/PIL/PdfParser.py b/src/PIL/PdfParser.py
@@ -582,7 +582,8 @@ def next_object_id(self, offset=None):
     whitespace_or_hex = br"[\000\011\012\014\015\0400-9a-fA-F]"
     whitespace_optional = whitespace + b"*"
     whitespace_mandatory = whitespace + b"+"
-    whitespace_optional_no_nl = br"[\000\011\014\015\040]*"  # no "\012" aka "\n"
+    # No "\012" aka "\n" or "\015" aka "\r":
+    whitespace_optional_no_nl = br"[\000\011\014\040]*"
     newline_only = br"[\r\n]+"
     newline = whitespace_optional_no_nl + newline_only + whitespace_optional_no_nl
     re_trailer_end = re.compile(