but the gap name was copied to the heap, not the stack. However, he could overflow into a vtable of the next object that would call his code when the object was freed. However, the level save data ...