tiff: limit PackBits decompression output size

[mohammadmseet-hue]

unpackBits has no output size limit. readBuf, which is used
for LZW, Deflate, and CCITT decompression, enforces a limit,
but the PackBits path bypasses readBuf entirely. This allows
a 2MB TIFF with PackBits compression to decompress to 745MB
(372x amplification).

CVE-2023-29408 added decompression size limits for other
formats but did not cover PackBits. This change adds a limit
parameter to unpackBits matching blockMaxDataSize, consistent
with the existing readBuf approach.

Updates golang/go#61582

[gopherbot]

This PR (HEAD: 7ff5fd3) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/image/+/759960.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759960.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 460db42) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/image/+/759960.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759960.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 2e5fbdb) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/image/+/759960.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 3:

Done. Removed duplicated title from body and ensured clean formatting.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759960.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Nigel Tao:

Patch Set 4: Code-Review+2

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759960.
After addressing review feedback, remember to publish your drafts!