Fix Turso TextValue::free / Blob::free fat-pointer corruption

TextValue stores Box<str>::into_raw() cast to *const u8 (losing the
length from the fat pointer). free() reconstructs Box<u8> (size 1
byte) and frees what the allocator tracks as a larger allocation,
corrupting the heap. This was the segfault in UDF result freeing
(hitting every test that returns text/blob from a PHP UDF, including
testFromBase64Function). Rebuild the fat pointer from the stored
length at free time.

Author: JanJakes

.github/workflows/phpunit-tests-turso.yml

@@ -105,6 +105,70 @@ jobs:
           print(f'patched {n} sqlite3_column_* functions')
           PY
 
+          # TextValue/Blob `free` reconstructs `Box<u8>` / `Box<u8>` from a
+          # pointer that was originally `Box<str>` / `Box<[u8]>` (fat
+          # pointers, length lost in the cast). This corrupts the heap when
+          # custom UDFs return text/blob values. Fix both frees to use the
+          # stored length and rebuild the correct slice box.
+          python3 - <<'PY_FIX_TYPES'
+          p = '../extensions/core/src/types.rs'
+          s = open(p).read()
+
+          # TextValue::free
+          old_text = (
+              "    #[cfg(feature = \"core_only\")]\n"
+              "    fn free(self) {\n"
+              "        if !self.text.is_null() {\n"
+              "            let _ = unsafe { Box::from_raw(self.text as *mut u8) };\n"
+              "        }\n"
+              "    }\n"
+          )
+          new_text = (
+              "    #[cfg(feature = \"core_only\")]\n"
+              "    fn free(self) {\n"
+              "        if !self.text.is_null() && self.len > 0 {\n"
+              "            unsafe {\n"
+              "                let slice = std::slice::from_raw_parts_mut(\n"
+              "                    self.text as *mut u8, self.len as usize);\n"
+              "                let _ = Box::from_raw(slice as *mut [u8]);\n"
+              "            }\n"
+              "        }\n"
+              "    }\n"
+          )
+          assert old_text in s, 'TextValue::free not found'
+          s = s.replace(old_text, new_text, 1)
+
+          # Blob::free uses the same pattern. Replace it too if present.
+          import re
+          blob_pat = re.compile(
+              r'(impl Blob \{\n(?:[^}]|\{[^}]*\})*?)'
+              r'(    #\[cfg\(feature = "core_only"\)\]\n'
+              r'    fn free\(self\) \{\n'
+              r'        if !self\.data\.is_null\(\) \{\n'
+              r'            let _ = unsafe \{ Box::from_raw\(self\.data as \*mut u8\) \};\n'
+              r'        \}\n'
+              r'    \}\n)'
+          )
+          m = blob_pat.search(s)
+          if m:
+              new_blob = (
+                  "    #[cfg(feature = \"core_only\")]\n"
+                  "    fn free(self) {\n"
+                  "        if !self.data.is_null() && self.size > 0 {\n"
+                  "            unsafe {\n"
+                  "                let slice = std::slice::from_raw_parts_mut(\n"
+                  "                    self.data as *mut u8, self.size as usize);\n"
+                  "                let _ = Box::from_raw(slice as *mut [u8]);\n"
+                  "            }\n"
+                  "        }\n"
+                  "    }\n"
+              )
+              s = s[:m.start(2)] + new_blob + s[m.end(2):]
+              print('patched Blob::free')
+          open(p, 'w').write(s)
+          print('patched TextValue::free')
+          PY_FIX_TYPES
+
           # Turso's create_function_v2 invokes the previous FuncSlot's destroy
           # callback when re-registering a UDF with the same name. In practice
           # (PHPUnit) this means: