Even the big games suffer from network-related vulnerabilities. One such example is GTA V. Exploits designed to crash people's games are widely used and accessible to pretty much anyone, and I wouldn't be surprised if one such exploit could have lead to a RCE in the past.
Any developer will say they do this. But very few, if any, can do this perfectly for every line of code that they write. Humans are terrible at doing things all of the time. Expecting developers to remember to do bounds check is setting yourself up for failure.
You can calloc the array instead of have a fixed size. You can validate the packet for <16.
The person who wrote this consciously thought to themselves "here's 16 slots I can fill, here is an external source that comes in with how many slots it wants to fill." at which point the server-authoritative-model senses should have started tinkling, as well as the experienced-c-programmer-who-has-been-bitten-by-out-of-bounds-memory-accesses-before senses.
This reminds me of a pair of episodes on Darknet Diaries - Manfred - ep. 7/8. Opened my eyes to how insecure games actually are (were?) and how the economy of virtual item trading moved from E-Bay to in-game transactions: