Merge pull request #5393 from hugovk/test-redos

Add test for CVE-2021-25292 ReDoS
2025-02-28 10:00:33 +03:00 · 2021-04-09 23:34:11 +10:00 · 2021-04-09 23:34:11 +10:00 · 356681faae
commit 356681faae
parent b01fd46fe6 bde149be38
1 changed files with 10 additions and 0 deletions
--- a/Tests/test_file_pdf.py
+++ b/Tests/test_file_pdf.py
@ -286,3 +286,13 @@ def test_pdf_append_to_bytesio():
    f = io.BytesIO(f.getvalue())
    im.save(f, format="PDF", append=True)
    assert len(f.getvalue()) > initial_size
+
+
+@pytest.mark.timeout(1)
+def test_redos():
+    malicious = b" trailer<<>>" + b"\n" * 3456
+
+    # This particular exception isn't relevant here.
+    # The important thing is it doesn't timeout, cause a ReDoS (CVE-2021-25292).
+    with pytest.raises(PdfParser.PdfFormatError):
+        PdfParser.PdfParser(buf=malicious)