I had thought that we did not guard against a buffer overflow in MultiBsonStreamCursor, and so I filed this bug. It turns out I was wrong about the possibility of a buffer overflow, so I am just adding a comment for future readers of the code. The original description is below.

MultiBsonStreamCursor reads BSON objects from a stream into a buffer. BSON objects start with a 32-bit length. If the buffer already contains part of the size, it attempts to read the rest of the size, and it makes the assumption that the buffer is large enough. This assumption may not be true.

If we were to hit this case, we could write past the end of the buffer.

We read the next BSON objects's size here.

Compare this to where we read the entire object into the buffer, where we have logic to expand the buffer if necessary, here.