He's established that the stack pointer rolls over due to integer overflow. He hasn't established exactly which part of the input data gets copied over the return pointer, but you're only really interested in that if you're trying to exploit the weakness. Establishing that the stack pointer does overflow is sufficient for the purposes of fixing the bug.