This out-of-bounds read occurs because EodHeader, StreamIdSize, and OrderQueueSize are not validated before accessing them in the message header parser routine CQmPacket::CQmPacket. The message header parser routine has scrutinized most of the message header, but it turns out that the data structure for the header in question is not being validated.