GH-49917: [Python] numpy_convert.cc memory management（Use-After-Free） Bugs for PyList_SetItem in SparseCSFTensorToNdarray

[wr-web]

Rationale for this change

Py_DECREF(item) in PyList_SetItem will cause Use-After-Free bug if PyList_SetItem(indptr.obj(), i, item) < 0 is true, cause PyList_SetItem always steals a reference to the item, even when it fails.

What changes are included in this PR?

1. Remove Py_DECREF(item) in PyList_SetItem error path.

Are these changes tested?

By CI.

Are there any user-facing changes?

No.

• GitHub Issue: [Python] numpy_convert memory management（Use-After-Free） Bugs for PyList_SetItem in SparseCSFTensorToNdarray #49917

[github-actions]

Thanks for opening a pull request!

If this is not a minor PR. Could you open an issue for this pull request on GitHub? https://github.com/apache/arrow/issues/new/choose

Opening GitHub issues ahead of time contributes to the Openness of the Apache Arrow project.

Then could you also rename the pull request title in the following format?

GH-${GITHUB_ISSUE_ID}: [${COMPONENT}] ${SUMMARY}

or

MINOR: [${COMPONENT}] ${SUMMARY}

See also:

• Other pull requests
• Contribution Guidelines - Contributing Overview

[raulcd]

Thanks for the PR. Can you use the PR description template instead of removing it?
Can you also use the expected title for the PR as described on the automated message?

[pitrou]

(PR contents look good otherwise: PyList_SetItem always steals a reference to the item, even when it fails)

[wr-web]

Thanks for the PR. Can you use the PR description template instead of removing it? Can you also use the expected title for the PR as described on the automated message?

Done

[github-actions]

⚠️ GitHub issue #49917 has been automatically assigned in GitHub to PR creator.

[raulcd]

Thank you very much for the PR!
I've done a minor update to the title so our automated tools don't trip.