google
xpdf issues being blamed on freetype
Consider xpdf issues 42534869, 42534625, and 42534827. These are all being blamed on freetype, for example see OSV-2024-963.yaml which is reported as OSV-2024-963. The issue here appears to be that xpdf does not have a repo see Dockerfile and in fact provides no indication of which version is actually being fuzzed, so there is no information to even pass on for xpdf. However, because freetype is checked out it appears to be blamed as a bystander for all of xpdfs issues, since it is the only "repo" available. I cannot see the detailed reports for these issues, but none of the stacks appear to have anything to do with freetype, and the freetype range on these does not look like it makes much sense.
It isn't entirely clear if this needs to be fixed in oss-fuzz or oss-fuzz-vulns. It looks like the bisect information is from oss-fuzz, which might be blaming the wrong project due to the fact that xpdf doesn't have a main repo (it's just a .tar.gz being downloaded without any version information).
Thanks for reporting this! All three xpdf OSV records have now been marked as withdrawn.
https://github.com/google/osv.dev/pull/3532 is also out to prevent future records from being created.