Fix remaining fuzzer issues: leaks, UBSAN NaN, macOS LLVM version

- fuzz.yaml: switch macOS to llvm@18 (latest LLVM uses typed allocation
  C++ ABI symbols not available on macOS 14 runner's system libc++)
- sqlite-vec.c: fix NaN input in vec_quantize_int8 by using !(val <= X)
  comparisons which evaluate to true for NaN, ensuring the clamp fires
- sqlite-vec.c: free pzErrMsg in vec_eachFilter error path (was leaking
  the error string returned by vector_from_value)
- sqlite-vec.c: add sqlite3_free(pNew) to vec0_init error path; vec0_free
  frees the contents but not the struct itself, mirroring vec0Disconnect
- sqlite-vec.c: free knn_data in vec0Filter_knn cleanup when rc != SQLITE_OK;
  on error the cursor's knn_data field is never set so it would not be
  freed by the cursor teardown path

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.github/workflows/fuzz.yaml

@@ -63,20 +63,20 @@ jobs:
     runs-on: macos-14
     steps:
       - uses: actions/checkout@v4
-      - name: Install LLVM
-        run: brew install llvm
+      - name: Install LLVM 18
+        run: brew install llvm@18
       - run: ./scripts/vendor.sh
       - name: Generate sqlite-vec.h
         run: make sqlite-vec.h
       - name: Build fuzz targets
         run: |
-          LLVM=/opt/homebrew/opt/llvm
+          LLVM=/opt/homebrew/opt/llvm@18
           make -C tests/fuzz all \
             FUZZ_CC=$LLVM/bin/clang \
-            FUZZ_LDFLAGS="-Wl,-ld_classic -L$LLVM/lib/c++ -Wl,-rpath,$LLVM/lib/c++"
+            FUZZ_LDFLAGS="-Wl,-ld_classic"
       - name: Run fuzz targets
         env:
-          DYLD_LIBRARY_PATH: "/opt/homebrew/opt/llvm/lib/c++:${{ env.DYLD_LIBRARY_PATH }}"
+          DYLD_LIBRARY_PATH: "/opt/homebrew/opt/llvm@18/lib/c++:${{ env.DYLD_LIBRARY_PATH }}"
         run: |
           DURATION=${{ github.event.inputs.duration || '60' }}
           EXIT_CODE=0