Skip to content

xpdf issues being blamed on freetype #13248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bungeman opened this issue Apr 23, 2025 · 1 comment
Open

xpdf issues being blamed on freetype #13248

bungeman opened this issue Apr 23, 2025 · 1 comment
Assignees
@oliverchang

Comments

@bungeman
Copy link
Contributor

Consider xpdf issues 42534869, 42534625, and 42534827. These are all being blamed on freetype, for example see OSV-2024-963.yaml which is reported as OSV-2024-963. The issue here appears to be that xpdf does not have a repo see Dockerfile and in fact provides no indication of which version is actually being fuzzed, so there is no information to even pass on for xpdf. However, because freetype is checked out it appears to be blamed as a bystander for all of xpdfs issues, since it is the only "repo" available. I cannot see the detailed reports for these issues, but none of the stacks appear to have anything to do with freetype, and the freetype range on these does not look like it makes much sense.

It isn't entirely clear if this needs to be fixed in oss-fuzz or oss-fuzz-vulns. It looks like the bisect information is from oss-fuzz, which might be blaming the wrong project due to the fact that xpdf doesn't have a main repo (it's just a .tar.gz being downloaded without any version information).
@jonathanmetzman
Copy link
Contributor

Oliver can you route this to the right OSV person?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@oliverchang oliverchang

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@oliverchang @bungeman @jonathanmetzman