Priority: Major - P3
Affects Version/s: 1.9.0
Fix Version/s: 1.9.1
PHPC-1067 I found an off-by-one error in bson_append_regex.
The calculation for the number of required bytes is off by one, since https://github.com/mongodb/libbson/commit/f9c179bb#diff-834e3eef392f29fc84e766ec869ff972L1533
The annotated calculation is:
If you compare (1 + key_length + 1 + regex_len + options_sorted->len) with the sum of all the length, you see it's missing 1 (the extra null of the options_sorted->len).
This can cause a out-of-bound write.