[3.12] gh-120384: Fix array-out-of-bounds crash in list_ass_subscript (GH-120442)

[miss-islington]

(cherry picked from commit 8334a1b)

Co-authored-by: Nikita Sobolev mail@sobolevn.me

• Issue: Array out of bounds assignment in list_ass_subscript #120384

[miss-islington-app]

Thanks @miss-islington for the PR, and @sobolevn for merging it 🌮🎉.. I'm working now to backport this PR to: 3.9.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @miss-islington for the PR, and @sobolevn for merging it 🌮🎉.. I'm working now to backport this PR to: 3.10.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @miss-islington for the PR, and @sobolevn for merging it 🌮🎉.. I'm working now to backport this PR to: 3.8.
🐍🍒⛏🤖

[miss-islington-app]

Thanks @miss-islington for the PR, and @sobolevn for merging it 🌮🎉.. I'm working now to backport this PR to: 3.11.
🐍🍒⛏🤖

[miss-islington-app]

Sorry, @miss-islington and @sobolevn, I could not cleanly backport this to 3.9 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d75eddcf36986ae971f42fd516f737169081e182 3.9

[miss-islington-app]

Sorry, @miss-islington and @sobolevn, I could not cleanly backport this to 3.8 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d75eddcf36986ae971f42fd516f737169081e182 3.8

[miss-islington-app]

Sorry, @miss-islington and @sobolevn, I could not cleanly backport this to 3.10 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d75eddcf36986ae971f42fd516f737169081e182 3.10

[miss-islington-app]

Sorry, @miss-islington and @sobolevn, I could not cleanly backport this to 3.11 due to a conflict.
Please backport using cherry_picker on command line.

cherry_picker d75eddcf36986ae971f42fd516f737169081e182 3.11

[gpshead]

I'm exploring the feasibility of backports as, while we don't as a project consider the ability to execute arbitrary code when executing Python bytecode a security problem - because arbitrary code is just that. There are projects that'd benefit from this bugfix being in place from a security standpoint. It looks like it'll require some hand-holding to backport.

[sobolevn]

@gpshead do you want me to do that? :)
I can, but a bit later. I am on vacation for several days.

[gpshead]

No need, I've already created #121345 for that. I'll let the 3.11 and earlier release managers decide if they want it.

[serhiy-storchaka]

Reminder about backporting. @sobolevn

[sobolevn]

@serhiy-storchaka, sorry, what backport are you talking about? :)

[serhiy-storchaka]

There are labels.