Dandandan opened a new issue, #22226: URL: https://github.com/apache/datafusion/issues/22226
### Describe the bug `arrow_cast(..., 'FixedSizeBinary(-1)')` accepts a negative element length at planning time and panics on use with `LayoutError`. The panic surfaces from `arrow-buffer`'s `MutableBuffer::with_capacity` `unwrap()` of the `Layout::array` result for a negative-sized layout. This mirrors the pattern in #22194 (`arrow_cast` accepts invalid time-unit combinations and panics on use) but for a different invalid type spec: a negative element length on `FixedSizeBinary`. ### To Reproduce ```bash cargo run -p datafusion-cli -- -c "SELECT arrow_cast(NULL, 'FixedSizeBinary(-1)')" ``` ### Actual behavior ``` DataFusion CLI v53.1.0 thread 'main' panicked at .../arrow-buffer-58.2.0/src/buffer/mutable.rs:168:62: called `Result::unwrap()` on an `Err` value: LayoutError note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace ``` ### Expected behavior `arrow_cast` should reject the type spec at parse/plan time with a clear error (e.g. `"FixedSizeBinary element length must be non-negative"`), or, if accepted, return an execution error rather than panicking. ### Environment - DataFusion CLI v53.1.0 (from `main` at commit 8741a7752c) - arrow-buffer 58.2.0 ### Additional context Found via SQL fuzzing through the CLI. Same defensive-validation gap class as #22194 — `arrow_cast`'s type-spec parser is currently more permissive than the resulting arrow layout will accept. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
