Unfortunately I don't think I have the code anymore. But the gist of it is that say you have two threads in a process. One of the threads contains a function like this:
void recurse (int m, int n) {
char arr[n]
recurse(m--, n)
}
If 'm' and 'n' are user-controlled, 'recurse' is executing in thread A, and thread A's stack is above thread B's stack, then you can cause 'recurse' to recurse down to the point that it makes its way into thread B's stack region. Normally, this is prevented by 'guard pages' in between the two thread's stacks. However, if you have a variable length array, as in the example, it's possible to allocate enough memory to just skip right over the guard page. Once you've done this, you're now writing directly into the other thread's stack, with all the fun stuff that entails.
