From dd8049363e16708293a7d19fec43bf08f8ea2667 Mon Sep 17 00:00:00 2001
From: Hugo van Kemenade <hugovk@users.noreply.github.com>
Date: Mon, 11 Oct 2021 17:22:56 +0300
Subject: [PATCH] Use more specific regex chars to prevent ReDoS - exclude
 carriage return

---
 Tests/test_file_pdf.py | 5 +++--
 src/PIL/PdfParser.py   | 3 ++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/Tests/test_file_pdf.py b/Tests/test_file_pdf.py
index 40a027cc5..10daa414b 100644
--- a/Tests/test_file_pdf.py
+++ b/Tests/test_file_pdf.py
@@ -313,8 +313,9 @@ def test_pdf_append_to_bytesio():
 
 
 @pytest.mark.timeout(1)
-def test_redos():
-    malicious = b" trailer<<>>" + b"\n" * 3456
+@pytest.mark.parametrize("newline", (b"\r", b"\n"))
+def test_redos(newline):
+    malicious = b" trailer<<>>" + newline * 3456
 
     # This particular exception isn't relevant here.
     # The important thing is it doesn't timeout, cause a ReDoS (CVE-2021-25292).
diff --git a/src/PIL/PdfParser.py b/src/PIL/PdfParser.py
index b95abbe2f..6ac9c7a7c 100644
--- a/src/PIL/PdfParser.py
+++ b/src/PIL/PdfParser.py
@@ -582,7 +582,8 @@ class PdfParser:
     whitespace_or_hex = br"[\000\011\012\014\015\0400-9a-fA-F]"
     whitespace_optional = whitespace + b"*"
     whitespace_mandatory = whitespace + b"+"
-    whitespace_optional_no_nl = br"[\000\011\014\015\040]*"  # no "\012" aka "\n"
+    # No "\012" aka "\n" or "\015" aka "\r":
+    whitespace_optional_no_nl = br"[\000\011\014\040]*"
     newline_only = br"[\r\n]+"
     newline = whitespace_optional_no_nl + newline_only + whitespace_optional_no_nl
     re_trailer_end = re.compile(