PHPC-849: Fix leaking of current element in setTypeMap()

Author: jmikola

src/MongoDB/Cursor.c

@@ -227,9 +227,23 @@ PHP_METHOD(Cursor, setTypeMap)
 		return;
 	}
 
+	/* Check if the existing element needs to be freed before we overwrite
+	 * visitor_data, which contains the only reference to it. */
+	if (!Z_ISUNDEF(intern->visitor_data.zchild)) {
+		php_phongo_cursor_free_current(intern);
+	}
+
 	phongo_bson_typemap_to_state(typemap, &state.map TSRMLS_CC);
 
 	intern->visitor_data = state;
+
+	/* If the cursor has a current element, we just freed it and should restore
+	 * it with a new type map applied. */
+	if (mongoc_cursor_current(intern->cursor)) {
+		const bson_t *doc = mongoc_cursor_current(intern->cursor);
+
+		phongo_bson_to_zval_ex(bson_get_data(doc), doc->len, &intern->visitor_data);
+	}
 }
 /* }}} */
 

tests/cursor/bug0849-001.phpt

@@ -0,0 +1,42 @@
+--TEST--
+PHPC-849: Cursor::setTypeMap() leaks current element if called during iteration
+--SKIPIF--
+<?php require __DIR__ . "/../utils/basic-skipif.inc"; CLEANUP(STANDALONE) ?>
+--FILE--
+<?php
+require_once __DIR__ . "/../utils/basic.inc";
+
+$manager = new MongoDB\Driver\Manager(STANDALONE);
+
+$bulk = new MongoDB\Driver\BulkWrite();
+$bulk->insert(['_id' => 1]);
+$bulk->insert(['_id' => 2]);
+$bulk->insert(['_id' => 3]);
+$manager->executeBulkWrite(NS, $bulk);
+
+$cursor = $manager->executeQuery(NS, new MongoDB\Driver\Query([]));
+$cursor->setTypeMap(['root' => 'stdClass']);
+
+foreach ($cursor as $i => $document) {
+    // Type map will apply to the next iteration, since current element is already converted
+    $cursor->setTypeMap(['root' => ($i % 2 ? 'stdClass' : 'array')]);
+    var_dump($document);
+}
+
+?>
+===DONE===
+<?php exit(0); ?>
+--EXPECTF--
+object(stdClass)#%d (%d) {
+  ["_id"]=>
+  int(1)
+}
+array(1) {
+  ["_id"]=>
+  int(2)
+}
+object(stdClass)#%d (%d) {
+  ["_id"]=>
+  int(3)
+}
+===DONE===