leptonica: updated to 1.77.0

1.77.0:
Here is the current status of CVE issues with leptonica; see
  https://security-tracker.debian.org/tracker/source-package/leptonlib
* CVE-2018-7442: potential injection attack because '/' is allowed
  in gplot rootdir.
  Functions using this command have been disabled by default in the
  distribution, starting with 1.76.0.  As for the specific issue, it
  is impossible to specify a general path without using the standard
  directory subdivider '/'.
* CVE-2018-7186: number of characters not limited in fscanf or sscanf,
  allowing possible attack with buffer overflow.
  This has been fixed in 1.75.3.
* CVE-2018-3836: command injection vulnerability in gplotMakeOutput().
  This has been fixed in 1.75.3, using stringCheckForChars() to block
  rootnames containing any of: ;&|>"?*$()/<
* CVE-2017-18196: duplicated path components.
  This was fixed in 1.75.3.
* CVE-2018-7441: hardcoded /tmp pathnames.
  These are all wrapped in special debug functions that are not
  enabled by default in the distribution, starting with 1.76.0.
* CVE-2018-7247: input 'rootname' can overflow a buffer.
  This was fixed in 1.76.0, using snprintf().
* CVE-2018-7440: command injection in gplotMakeOutput using $(command).
  Fixed in 1.75.3, which blocks '$' as well as 11 other characters.
Wrapped the few 'system' calls in an extra layer of debug code.
More coverity scan fixes; defects are about 1 per 10,000 source lines.
New regression tests: numa1_reg, numa2_reg, lowaccess_reg,
  pixmem_reg.
New non-regression test programs: histoduptest
Juergen Buchmueller is working on Lua bindings.  He typedef'd l_ok
  and used it in 1100 functions that return a success/failure status.
  He also helped clean up remaining issues in the doxygen-generated
  documentation.
Using a packed struct for bmp headers to avoid crash on
  some big-endians.
Fixed a bug in the prototype parser for xtractprotos that was
  surfaced by a typedef declaration for the bmp headers.
Cleaned up IOS guards to avoid compiling a system(3) call on IOS.
Renamed autobuild --> autogen.sh
Added some basic pixa functions for rotation and translation.
Added an iterative method to find rectangular coverings for
  arbitrary connected components.
Converted two tests to reg tests running in alltests_reg:
  ptra1_reg, ptra2_reg
Enabled read/write for standard jpeg compressed tiff images.
Enabled reading for the old (deprecated) jpeg-encoded tiffs.
Fix range selectors for pixa, pixaa, boxa, boxaa, pta:
  Now, last = -1 goes to the end.
When reading tiff --> pix, insert IMAGEDESCRIPTION into text field.
Converted iotest to reg test iomisc_reg; added to alltests_reg
Converted rasterop_reg into a standard regression test; added
  to alltests_reg.
Converted boxa2_reg and fhmtauto_reg into standard regression tests;
  added to alltests_reg.
Split boxa sequence functions out of boxfunc4.c, into a new boxfunc5.c.
Simplified bmp header and made reading more clearly endian
  agnostic (Juergen Buchmueller)
New boxa3_reg regression test. This tests sequences of boxes
  by two new boxfunctions in boxfunc5.c.
New bootnumgen4.c for more digit templates.
Rename prog/recog_bootnum.c --> prog/recog_bootname1.c
New in prog: recog_bootnum2.c, recog_bootnum3.c, recogtest7.c
Fixed uninitialized data in pixCentroid() on 1 bpp pix.
New reg test: bytea_reg.c.  (removed byteatest.c)
Fixed bug in non-transcoding pdf generation from 1 bpp png.
Added LGTM to static analyzers that run over the library.


(adam)