fix out-of-bounds read in jmespath negative-step slice

[uwezkhan]

handle_slice's read-all fallback clamps the slice with wrap_index, which returns a value in [0, size]. For a negative step the loop starts at value[start_idx] and walks down, so a start index at or past the array length ([5:0:-1] on a 3-element array) reads value[size], one byte-region past the end. That same loop compacts in place while reading in reverse, so the ascending write index also clobbers elements the descending read has not reached, and [4:0:-1] over [1,2,3,4,5] returned [5,4,3,4] instead of [5,4,3,2].

Positive steps keep the in-place compaction since the write index never overtakes the read index. The negative step now builds the slice in a separate buffer and starts no later than the last element, which drops both the over-read and the aliasing at the cost of one temporary allocation. Behavior matches the usual [start:stop:-1] slice ([10:0:-1] over five elements gives [5,4,3,2]).