From bde149be384635ede45e0a5bde7dc3f7cb4ae039 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade Date: Thu, 8 Apr 2021 23:53:22 +0300 Subject: [PATCH] Add test for CVE-2021-25292 ReDoS --- Tests/test_file_pdf.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/Tests/test_file_pdf.py b/Tests/test_file_pdf.py index e5bba483a..c7839873a 100644 --- a/Tests/test_file_pdf.py +++ b/Tests/test_file_pdf.py @@ -286,3 +286,13 @@ def test_pdf_append_to_bytesio(): f = io.BytesIO(f.getvalue()) im.save(f, format="PDF", append=True) assert len(f.getvalue()) > initial_size + + +@pytest.mark.timeout(1) +def test_redos(): + malicious = b" trailer<<>>" + b"\n" * 3456 + + # This particular exception isn't relevant here. + # The important thing is it doesn't timeout, cause a ReDoS (CVE-2021-25292). + with pytest.raises(PdfParser.PdfFormatError): + PdfParser.PdfParser(buf=malicious)