strcat was used in a callback to craft the xpath for each element and it did this without any bounds checking. By nesting XML structures they could eventually overflow the memory region they were allocated in. As this region immediately preceded heap memory it was possible to overflow into the heap and overwrite the xml parser’s callback function pointers (approximately 11,000 bytes away) and kick off a ROP chain.