The 1.4.0 function mongoc_client_get_server_descriptions is supposed to return an array of server description pointers and the number of pointers, "n". It omits server descriptions of "unknown" type.

But, instead of tightly packing pointers to known-type server descriptions, it instead leaves NULL pointers in the returned array. For example, if there are 2 known servers and 1 unknown server, mongoc_client_get_server_descriptions is supposed to return:

[known server, known server, NULL]
n=2

... instead, it returns:

[known server, NULL, known server]
n=2

This could crash the caller, which doesn't expect any NULLs. If the caller doesn't crash, it still gets incorrect results, because n=2 is supposed to mean that the first two array elements are server description pointers. If the caller gets far enough to call mongoc_server_descriptions_destroy_all, it will crash there.

The unreleased new 1.5.0 function mongoc_topology_description_get_servers has the same bug.