panic: arrow_cast(NULL, 'FixedSizeBinary(-1)') panics with LayoutError

[Dandandan]

Describe the bug

arrow_cast(..., 'FixedSizeBinary(-1)') accepts a negative element length at planning time and panics on use with LayoutError. The panic surfaces from arrow-buffer's MutableBuffer::with_capacity unwrap() of the Layout::array result for a negative-sized layout.

This mirrors the pattern in #22194 (arrow_cast accepts invalid time-unit combinations and panics on use) but for a different invalid type spec: a negative element length on FixedSizeBinary.

To Reproduce

cargo run -p datafusion-cli -- -c "SELECT arrow_cast(NULL, 'FixedSizeBinary(-1)')"

Actual behavior

DataFusion CLI v53.1.0

thread 'main' panicked at .../arrow-buffer-58.2.0/src/buffer/mutable.rs:168:62:
called `Result::unwrap()` on an `Err` value: LayoutError
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

Expected behavior

arrow_cast should reject the type spec at parse/plan time with a clear error (e.g. "FixedSizeBinary element length must be non-negative"), or, if accepted, return an execution error rather than panicking.

Environment

• DataFusion CLI v53.1.0 (from main at commit 8741a77)
• arrow-buffer 58.2.0

Additional context

Found via SQL fuzzing through the CLI. Same defensive-validation gap class as #22194 — arrow_cast's type-spec parser is currently more permissive than the resulting arrow layout will accept.