The Type unpacked from the snapshot delta is not validated and later stored in m_SnapshotCurrent. This index is used to read and write m_aSnapshotDataRate and m_aSnapshotDataUpdates. Out of bound indices (e.g. INT_MAX or random large integers) can easily crash the client. Arbitrary code execution is technically possible, though it would be hard to exploit, as the write accesses will only increment the selected memory location.
This is fixed be ensuring that the Type is in the c...
