From 800a5fbe92d9f8edd3997bad3d04299dc6d08ea5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Robert=20M=C3=BCller?= <robert.mueller@uni-siegen.de>
Date: Fri, 11 Feb 2022 16:59:27 +0100
Subject: [PATCH] Fix integer overflow of snapshot delta item size

---
 src/engine/shared/snapshot.cpp | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/engine/shared/snapshot.cpp b/src/engine/shared/snapshot.cpp
index 4e6331c90..32efb71fd 100644
--- a/src/engine/shared/snapshot.cpp
+++ b/src/engine/shared/snapshot.cpp
@@ -4,6 +4,8 @@
 #include "compression.h"
 #include "uuid_manager.h"
 
+#include <climits>
+
 #include <game/generated/protocol.h>
 #include <game/generated/protocolglue.h>
 
@@ -380,6 +382,8 @@ int CSnapshotDelta::UnpackDelta(CSnapshot *pFrom, CSnapshot *pTo, const void *pS
 		{
 			if(pData + 1 > pEnd)
 				return -2;
+			if(*pData < 0 || *pData > INT_MAX / 4)
+				return -3;
 			ItemSize = (*pData++) * 4;
 		}