jpc_dec: fix tile memory leak after decoder failure

[MaxKellermann]

The function jpc_dec_tilefini() is only called for tiles which have
completed successfully. If there is one decoder error, all unfinished
tiles leak lots of memory.

This change adds jpc_dec_tilefini() calls to jpc_dec_destroy() for
each tile which is not marked "done" (state!=JPC_TILE_DONE). This
however crashes when the tile initialization loop in
jpc_dec_process_siz() fails, because the rest of the array has not yet
been initialized; to work around this, I added a loop which
initializes all states with JPC_TILE_DONE before doing the real
initialization.

[jubalh]

@mdadams I think this is about CVE-2017-13748

[MaxKellermann]

Since this repository is abandoned and @mdadams has not replied for several years to my code submissions and emails, I'll be moving my efforts to fix Jasper to https://github.com/jasper-maint/jasper

[mdadams]

Since this repository is abandoned and @mdadams has not replied for several years to my code submissions and emails, I'll be moving my efforts to fix Jasper to https://github.com/jasper-maint/jasper

@MaxKellermann and @jubalh:
As I have said numerous times before, the inactivity in the development/maintenance of JasPer is due to resource limitations, not due to a lack of interest in JasPer. So, it is somewhat misleading to say that this repository/project has been completely abandoned. While I understand your reasons for creating a fork of the JasPer repository, I cannot officially sanction the fork. By this, I mean that I still consider my original JasPer repository (i.e., https://github.com/mdadams/jasper) to be the official one. I am not opposed to creating a new GitHub organization for JasPer, but this would need to be done in way with which I am comfortable. As I am sure that you can appreciate, the COVID19 pandemic has been having a massive impact on many people's lives for some time now, myself included. This is the reason why I have not been able to participate any discussions about the future of JasPer in recent months. Before anyone starts reading too much into my absence from such discussions, I felt it was necessary to post this brief comment. I would be happy to revisit this matter at a later point when the chaos created by the COVID19 pandemic dissipates.

[jubalh]

As I have said numerous times before, the inactivity in the development/maintenance of JasPer is due to resource limitations, not due to a lack of interest in JasPer.

JasPer had pull requests open from 2017, with no comment on it whatsoever. There are 62 issues many of which are CVEs dating back to 2016 some of which also didn't get any feedback.

In a mail that is over an year old I already suggested various ways to increase resources. Adding more people to the repo, asking some of your students to work on JasPer, creating a GitHub organization. You answered questions in that mail but omitted this topic entirely.

So, it is somewhat misleading to say that this repository/project has been completely abandoned.

A dead upstream is an upstream that does not care about the project anymore. Doesn't give feedback to potential contributors nor shows any activity. Even though that upstream still has "interest", the action is what counts to the users.

While I understand your reasons for creating a fork of the JasPer repository, I cannot officially sanction the fork. By this, I mean that I still consider my original JasPer repository (i.e., https://github.com/mdadams/jasper) to be the official one.

In the README of our fork we explicitly state:

The official web site for the JasPer software has the following URL:

http://www.ece.uvic.ca/~mdadams/jasper
https://github.com/mdadams/jasper

This project is a fork of above mentioned repository.
And is located at:

https://github.com/jasper-maint/jasper/

Several attempts were made to continue with maintenance and revive
development of JasPer in its original repository.

After several months we assumed the project was dead and decided to
fork it.
See state of jasper: #208

So we never claimed our for to be the official jasper and marked it as a fork explicitly.

I am not opposed to creating a new GitHub organization for JasPer, but this would need to be done in way with which I am comfortable.

My first mail about the suggestion to create a GitHub organization is over a year old. I have written numerous more after that. Always trying to keep the original JasPer alive. None such mail was answered. All this happened way before COVID-19.
In April 2020 I started to write you emails again, which got all ignored.

April 14th I again made the idea to create an organization public. By this time you didn't respond to no mail nor GitHub issue at all.
So way over a year later on June 10th 2020 I announce that next week I will create a fork if I do not hear anything back. Still nothing happens.

Then we finally do the work. Set up the organization, push the repo. Create issues so that we can organize everything in a clean way. Do the first commits. And then you suddenly appear and feel entitled to mention your opposition to the project?

COVID-19 has effect on many lives, but I wonder how it can be that you were able to ignore all mails and questions but found the time give a quick shoutout when suddenly something starts to happen. If we wouldn't have forked you would have stayed silent for months on or forever.

And it's not just the silence in recent months with the question about adding more team members to jasper. The state of the old repo has plenty of bugs with no comments. Many open PRs with no feedback at all.
On one PR where Max did some improvements you ignored his PR for one year and then duplicate one of the things he already fixed by fixing it yourself.

This doesn't sound like good community work to me.

In any case there are several things that can happen now. I see the following:

• we abandon our fork
• we rename it if you have problem with the name
• we do nothing
• we add you to the new jasper-maint organization (like I offered before)
• ..more?

I would prefer the second to last option, that you join the organization. Since we organized everything quite nicely and transparently. Users will easily be able to follow the development and fixing of bugs. Things are clearly referenced.

Curious what @MaxKellermann has to say about the subject.

And also interesting that you commented that here and not in #208 where I think it would have been more appropriate.

[MaxKellermann]

I agree with everything @jubalh said.
@mdadams for several years, you let this project linger in limbo with countless very critical security vulnerabilities open. Fixes for many vulnerabilities were sent to you, but you ignored them for years. This got bad enough that most Linux distributions decided to removed JasPer. JasPer has mostly become irrelevant due to your actions (or lack thereof).
I know how hard it is to take time for projects, I have too many projects as well competing for my scarce time (plus real-life projects). I don't judge you for having too little time for JasPer. But I judge you for not accepting help.
The fork now exists, and there are people who want to fix JasPer, with or without you. You can decide if you want to be part of this effort or not. I wish you were part of it, but that's completely up to you. However, your comfort is not top priority for the fork.

[mdadams]

@MaxKellermann and @jubalh:
Just to avoid any misunderstandings, I was NOT trying to suggest that you don't have any legitimate reasons for creating a fork of JasPer. To the best of my knowledge, your fork is the only one mentioned explicitly in GitHub issues for JasPer. So I just wanted to indicate that this fork doesn't have any special status relative to other forks in order to avoid possible confusion amongst JasPer users. I understand your reasons for wanting to fork JasPer. I am not criticizing you for doing this. There are numerous forks of JasPer, and I suspect that at least some of them are motivated by similar issues as the ones that led you to create your own fork. I also agree that it would be best if various parties coordinated their efforts. I think that the best way to handle this would be for me to create a new organization and then transfer the official JasPer repository to that new organization (as opposed to simply creating a fork of it). I have tentatively created an organization called jasper-software and invited both of you to join it. Is this what you had had in mind originally? I have not actually transferred the repository for JasPer to the new organization as of yet. If I were to transfer JasPer to this new organization (not fork it), do you think that this would provide a manageable structure for JasPer maintenance/development? If you do not think that this would be a good idea, I can just leave things as they are and delete the new organization. As I understand it, transfering the repository would probably be better than forking, but I am not a GitHub expert. Of course, if you would prefer to go your own way altogether, I understand. Let me know what you think.

[jubalh]

I see.

So since we already set up an organization and have some issues and some commits. I think it would make sense if you join our organization. So all the references etc will still work.

We could then either just add a note in the readme of your original repo that development moved to the new organization (where you also have access etc) or we could ask GitHub to link from there to the new repo.

So that one goes to https://github.com/mdadams/jasper one gets forwarded to https://github.com/jasper-maint/jasper like if we would have transferred the repo right from the start.

Since in some of our commits we referenced issues form the old repo I'm not sure what will happen to those links.

We could also remove our repo, push the changes so far to yours and transfer that repo to a new organization.
Then just all issues/references we created will be lost.

Not sure which is the best way.. :(

It appears to me that just adding a note and link to the old readme would that directs to the repo we created and adding you as owner to jasper-maint would be best. Since then all references would still be intact. Development can continue and 3 people have access, so it's unlikely to drop dead.

[MaxKellermann]

the best way to handle this would be for me to create a new organization and then transfer the official JasPer repository to that new organization

That is what @jubalh had been suggesting since last year.

Is this what you had had in mind originally? I have not actually transferred the repository for JasPer to the new organization as of yet. If I were to transfer JasPer to this new organization (not fork it), do you think that this would provide a manageable structure for JasPer maintenance/development?

Yes. That would preserve all existing links, existing bug reports and would keep the connection between all those forks.

(Note: technically, https://github.com/jasper-maint/jasper/ is not a "GitHub fork"; while it is legally a fork, on the GitHub level, it is a new project, because we gave up on following https://github.com/mdadams/jasper, and that's the semantic difference to those 56 existing forks, which are not new projects.)

Then just all issues/references we created will be lost.

It is unfortunate that @mdadams waited until it was too late already. This way, he created lots of unnecessary confusion and caused us more work than necessary, costing us more time than necessary - when scarce of time is what plagues everybody. Again, I'm annoyed.

To avoid further problems, my suggestion is that we continue on https://github.com/jasper-maint/jasper/ until its "issues" section is solved. By then, @mdadams will have made up his mind on how he plans to run the new organization. If we agree with his plans, we'll join it, push "jasper-maint/jasper/master" to it and delete "jasper-maint".

Things for @mdadams to do/decide:

• What are the rules for the new organization? (Who will be member, who invites new members? Who is allowed to push? Who reviews and merges incoming PRs? Who does releases? What needs to be done before a release? How are releases announced? Who maintains the website? Does the project need a website, anyway? What's the policy on things like coding style, API/ABI changes/breakages, documentation, unit tests, ... and what about requiring C99/C10?)
• Move the official jasper repository to "jasper-software"
• Merge jasper-maint/jasper/master

[jubalh]

So I just wanted to indicate that this fork doesn't have any special status relative to other forks in order to avoid possible confusion amongst JasPer users. I understand your reasons for wanting to fork JasPer. I am not criticizing you for doing this. There are numerous forks of JasPer, and I suspect that at least some of them are motivated by similar issues as the ones that led you to create your own fork.

I see some confusion about the term here. Like @MaxKellermann mentioned these forks are kind of different.
Basically they are just another git remote. Contributors don't have access to commit to a certain repository (lets say mdadams/jasper). So they need a remote where they have push access. These forks you mention are just that.
A clone of the repository where the individual user has write access to. So in case I want to create a pull request I need to first "fork" the original repo, do my changes locally, push to my remote (what github calls a"fork") and then create a pull request.

We also could have "forked" with the GitHub link your repository to jasper-maint/jasper and then worked on that. Then GitHub would have preserved the link and below our repo it would print "forked from mdadams/jasper".

But we just cloned the repo. Created a new one on GitHub and pushed the repo there. So GitHub doesn't have a link to the original.

So your assumption that these people forked for similar reason is wrong. It is something else entirely. None of these repos (I didn't check all) have any more commits than your repo. They were not done to keep jasper alive.

I also had some time to think about all this again.

And I would like to understand what exactly is your motivation behind creating jasper-software organization, and not just join our jasper-maint organization which we created roughly 2 weeks before yours after you didn't reply to the requests for over a year?

Also, your original repo, if transferred will have all the issues/PRs transferred too. So I would like to know whether you will clean them up or what you plan to do with them. Because in our fork we already went through the original issues and created new issues in our repo for them. In a cleaner and more managable way.

We all have limited time, @MaxKellermann and I volunteered to help with this project. But I would appreciate if it wouldn't be made so hard and more time consuming than necessary. So before now doing all the extra work again, I would like to understand why you think it needs to be done. And what you think will be improved in this way. And it would be good to know how much time etc you can/want to put in in the future.

So far I don't see any benefit except extra work for us.

[MaxKellermann]

@mdadams if you agree with the changes we did to our fork, you can easily merge them now into your official JasPer repository. That way, everybody benefits from the fixes.
If you don't agree, don't merge our changes - but that would, of course, close the door to a cooperation.
This works in both directions - if you have a bugfix in your repository, we'll copy it over to our fork.
So once all CVEs are fixed and both repositories are in sync, we can resume discussion on merging both projects back into one, and how. That's up to you.