...
When compiled for x86-64 using GCC v4.1.2 on Linux, the above example outputs the following when run:
| Code Block |
|---|
setjmp() invoked longjmp() invoked Should not be called! |
Because g() has finished executing at the time longjmp() is called, it is no longer on the stack. When do_stuff() is invoked, its stackframe occupies the same memory as the old stackframe of g(). In this case a was located in the same location as the return address of function g(). The call to memcpy() overwrites the return address, so when longjmp() sends control back to function g(), the function returns to the wrong address (in this case to function bad()).
If the array b were user-specified, they the user would be able to set the return address of function g() to any location.
...