* fix(bits): prevent BitArray.UnmarshalJSON from crashing on 0 bits in the JSON (backport #2774) (#2778)

This change fixes a bug in which BitArray.UnmarshalJSON hadn't accounted
for the fact that invoking NewBitArray(<=0) returns nil and hence when
dereferenced would crash with a runtime nil pointer dereference. This
bug was found by my security analysis and fuzzing too.

Author: @odeke-em

Fixes https://github.com/cometbft/cometbft/issues/2658

---

- [x] Tests written/updated
- [x] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] ~~Updated relevant documentation (`docs/` or `spec/`) and code
comments~~
- [x] Title follows the [Conventional
Commits](https://www.conventionalcommits.org/en/v1.0.0/) spec
<hr>This is an automatic backport of pull request #2774 done by
[Mergify](https://mergify.com

).

---------

Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>

* fix(consensus/reactor): reject oversized proposals (backport #5324) (#5407)

---
Updates the consensus reactor to validate that a received proposal will
not contain more parts than the amount of chunks that it would take to
build a block whos size is equal to `ConsensusParams.Block.MaxBytes`.

Original PR is here https://github.com/cometbft/cometbft/pull/5309, but
reopened since the contributor stopped replying.

- [ ] Tests written/updated
- [ ] Changelog entry added in `.changelog` (we use
[unclog](https://github.com/informalsystems/unclog) to manage our
changelog)
- [ ] Updated relevant documentation (`docs/` or `spec/`) and code
comments
<hr>This is an automatic backport of pull request #5324 done by
[Mergify](https://mergify.com

).

Co-authored-by: Alex | Interchain Labs <alex@cosmoslabs.io>
Co-authored-by: arsushi <richie@asymmetric.re>
Co-authored-by: Abdul Malek <me@almk.dev>
Co-authored-by: Matt Acciai <matt@skip.money>
Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Tyler <48813565+technicallyty@users.noreply.github.com>
Co-authored-by: maradini77 <140460067+maradini77@users.noreply.github.com>

* Merge commit from fork

* add VaidateBasic to BitArray to ensure Bits and len(Elems) are valid

* call ValidateBasic on BitArrays when receiving as a msg from exteranl nodes

* enfore SetIndex is not setting out of bounds

* add guard to getNumTrueIndices

getNumTrueIndices will index out of bounds if Bits and Elems have a
mismatch where len(elems) != (bits+63)/64, this guard makes it simply
return 0 if this mismatch is present

* changelog

* fix missing import for v0.38.x

* update changelog for release of v0.38.19

* remove duplicate bug fixes from unreleased

* fix changelog date

* fix lint

* fix expected error string in test

* add necessary test constants

---------

Co-authored-by: mergify[bot] <37929162+mergify[bot]@users.noreply.github.com>
Co-authored-by: Anton Kaliaev <anton.kalyaev@gmail.com>
Co-authored-by: Alex | Interchain Labs <alex@cosmoslabs.io>
Co-authored-by: arsushi <richie@asymmetric.re>
Co-authored-by: Abdul Malek <me@almk.dev>
Co-authored-by: Matt Acciai <matt@skip.money>
Co-authored-by: Tyler <48813565+technicallyty@users.noreply.github.com>
Co-authored-by: maradini77 <140460067+maradini77@users.noreply.github.com>
Co-authored-by: Matt Acciai <matt@cosmoslabs.io>