Only adjust negative indexes in json_get up to the length of the path.

The previous code resulted in memory access beyond the path bounds. The
cure is to move it into a code branch that checks the value of lex_level
is within the correct bounds.

Bug reported and diagnosed by Piotr Stefaniak.

src/backend/utils/adt/jsonfuncs.c

@@ -977,16 +977,6 @@ get_array_start(void *state)
 	{
 		/* Initialize counting of elements in this array */
 		_state->array_cur_index[lex_level] = -1;
-	}
-	else if (lex_level == 0 && _state->npath == 0)
-	{
-		/*
-		 * Special case: we should match the entire array.  We only need this
-		 * at outermost level because at nested levels the match will have
-		 * been started by the outer field or array element callback.
-		 */
-		_state->result_start = _state->lex->token_start;
-	}
 
 		/* INT_MIN value is reserved to represent invalid subscript */
 		if (_state->path_indexes[lex_level] < 0 &&
@@ -998,6 +988,16 @@ get_array_start(void *state)
 			if (-_state->path_indexes[lex_level] <= nelements)
 				_state->path_indexes[lex_level] += nelements;
 		}
+	}
+	else if (lex_level == 0 && _state->npath == 0)
+	{
+		/*
+		 * Special case: we should match the entire array.  We only need this
+		 * at the outermost level because at nested levels the match will
+		 * have been started by the outer field or array element callback.
+		 */
+		_state->result_start = _state->lex->token_start;
+	}
 }
 
 static void