[kaizoku_]

This guy doesn't really seem to understand the bug he's trying to explain or actually what happened in his "accident".

[nl]

I think he understands it all too well (and missed explaining a lot of things that a casual reader really needs to know)

The code execution is not the point of the story.

[kaizoku_]

The title makes me think that the code execution is the point of the story and he doesn't seem to understand how that happens in fnmatch().

[pmjordan]

He's established that the stack pointer rolls over due to integer overflow. He hasn't established exactly which part of the input data gets copied over the return pointer, but you're only really interested in that if you're trying to exploit the weakness. Establishing that the stack pointer does overflow is sufficient for the purposes of fixing the bug.