x/image/tiff: over allocation in DecodeConfig (CVE-2022-41727)

[rolandshoemaker]

This is a PRIVATE issue for CVE-2022-41727, tracked in http://b/262244452 and fixed by http://tg/1680712.

/cc @golang/security and @golang/release

[Jason7602]

@gopherbot please open backport issues.

[gopherbot]

Backport issue(s) opened: #58403 (for 1.19), #58404 (for 1.20).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

[rolandshoemaker]

This change will not be backported, as it is a change to a golang.org/x/ module which is not vendored in the standard library.

[gopherbot]

Change https://go.dev/cl/468195 mentions this issue: tiff: don't pre-allocate giant slices before reading

[epelc]

Does this warrant reconsidering #20814