If the slice to be assigned to was before the existing array lower bound
(requiring at least one null element to spring into existence to fill the
gap), the code miscalculated how many entries needed to be copied from
the old array's null bitmap.  This could result in trashing the array's
data area (as seen in bug #5840 from Karsten Loesing), or worse.

This has been broken since we first allowed the behavior of assigning to
non-adjacent slices, in 8.2.  Back-patch to all affected versions.