#include <vector>
#include <iostream>
 
struct A {
  int m;
  A() {
    m = 'A';
  }
  friend std::ostream& operator<<(std::ostream&os, A a);
};
 
std::ostream& operator<<(std::ostream&os, A a) {
  os << a.m;
  return os;
}
 
int main()
{
        std::vector<int> a;
        a.push_back(0);
        a.pop_back();
        int & b = *a.begin(); // same as a.front(); in g++ 4.7
        std::cout << b << std::endl; // 0
 
        // now say we store something like 42 in a vector
        std::vector<int> c;
        c.push_back(42);
        c.pop_back();
        int & d = c.front();
        std::cout << d << std::endl; // 42
 
        // now let's corrupt the stack
        int *e = &c[0];
        *e = 17;
 
        // ta-da
        std::cout << d << std::endl; // 17
 
        // now let's corrupt the stack of vector<int> a in evil ways..
        double *f = reinterpret_cast<double*>(&a[0]);
        *f = 3.14;
 
        // ta-da again!
        std::cout << *reinterpret_cast<double*>(&b) << std::endl; // 3.14
 
        // or from a directly
        std::cout << *reinterpret_cast<double*>(&a.front()) << std::endl; // 3.14
 
        // but wait..!
        a.push_back(23);
        std::cout << b << std::endl; // 23 -- ZOMG! HOW?!
 
        a.pop_back();
        std::cout << b << std::endl; // 23 again!
 
        // more shenanigans
        A a2;
        a.push_back(*reinterpret_cast<int*>(&a2.m));
        std::cout << *reinterpret_cast<char*>(&*a.begin()) << std::endl; // A
 
        a.pop_back();
        a.push_back(*reinterpret_cast<char*>(&a2));
        std::cout << (char)*a.begin() << std::endl; // A again!
 
        // Conclusions: the stack is fun!
}
 

I2luY2x1ZGUgPHZlY3Rvcj4KI2luY2x1ZGUgPGlvc3RyZWFtPgoKc3RydWN0IEEgewogIGludCBtOwogIEEoKSB7CiAgICBtID0gJ0EnOwogIH0KICBmcmllbmQgc3RkOjpvc3RyZWFtJiBvcGVyYXRvcjw8KHN0ZDo6b3N0cmVhbSZvcywgQSBhKTsKfTsKCnN0ZDo6b3N0cmVhbSYgb3BlcmF0b3I8PChzdGQ6Om9zdHJlYW0mb3MsIEEgYSkgewogIG9zIDw8IGEubTsKICByZXR1cm4gb3M7Cn0KCmludCBtYWluKCkKewogICAgICAgIHN0ZDo6dmVjdG9yPGludD4gYTsKICAgICAgICBhLnB1c2hfYmFjaygwKTsKICAgICAgICBhLnBvcF9iYWNrKCk7CiAgICAgICAgaW50ICYgYiA9ICphLmJlZ2luKCk7IC8vIHNhbWUgYXMgYS5mcm9udCgpOyBpbiBnKysgNC43CiAgICAgICAgc3RkOjpjb3V0IDw8IGIgPDwgc3RkOjplbmRsOyAvLyAwCgogICAgICAgIC8vIG5vdyBzYXkgd2Ugc3RvcmUgc29tZXRoaW5nIGxpa2UgNDIgaW4gYSB2ZWN0b3IKICAgICAgICBzdGQ6OnZlY3RvcjxpbnQ+IGM7CiAgICAgICAgYy5wdXNoX2JhY2soNDIpOwogICAgICAgIGMucG9wX2JhY2soKTsKICAgICAgICBpbnQgJiBkID0gYy5mcm9udCgpOwogICAgICAgIHN0ZDo6Y291dCA8PCBkIDw8IHN0ZDo6ZW5kbDsgLy8gNDIKCiAgICAgICAgLy8gbm93IGxldCdzIGNvcnJ1cHQgdGhlIHN0YWNrCiAgICAgICAgaW50ICplID0gJmNbMF07CiAgICAgICAgKmUgPSAxNzsKCiAgICAgICAgLy8gdGEtZGEKICAgICAgICBzdGQ6OmNvdXQgPDwgZCA8PCBzdGQ6OmVuZGw7IC8vIDE3CgogICAgICAgIC8vIG5vdyBsZXQncyBjb3JydXB0IHRoZSBzdGFjayBvZiB2ZWN0b3I8aW50PiBhIGluIGV2aWwgd2F5cy4uCiAgICAgICAgZG91YmxlICpmID0gcmVpbnRlcnByZXRfY2FzdDxkb3VibGUqPigmYVswXSk7CiAgICAgICAgKmYgPSAzLjE0OwoKICAgICAgICAvLyB0YS1kYSBhZ2FpbiEKICAgICAgICBzdGQ6OmNvdXQgPDwgKnJlaW50ZXJwcmV0X2Nhc3Q8ZG91YmxlKj4oJmIpIDw8IHN0ZDo6ZW5kbDsgLy8gMy4xNAoKICAgICAgICAvLyBvciBmcm9tIGEgZGlyZWN0bHkKICAgICAgICBzdGQ6OmNvdXQgPDwgKnJlaW50ZXJwcmV0X2Nhc3Q8ZG91YmxlKj4oJmEuZnJvbnQoKSkgPDwgc3RkOjplbmRsOyAvLyAzLjE0CgogICAgICAgIC8vIGJ1dCB3YWl0Li4hCiAgICAgICAgYS5wdXNoX2JhY2soMjMpOwogICAgICAgIHN0ZDo6Y291dCA8PCBiIDw8IHN0ZDo6ZW5kbDsgLy8gMjMgLS0gWk9NRyEgSE9XPyEKCiAgICAgICAgYS5wb3BfYmFjaygpOwogICAgICAgIHN0ZDo6Y291dCA8PCBiIDw8IHN0ZDo6ZW5kbDsgLy8gMjMgYWdhaW4hCgogICAgICAgIC8vIG1vcmUgc2hlbmFuaWdhbnMKICAgICAgICBBIGEyOwogICAgICAgIGEucHVzaF9iYWNrKCpyZWludGVycHJldF9jYXN0PGludCo+KCZhMi5tKSk7CiAgICAgICAgc3RkOjpjb3V0IDw8ICpyZWludGVycHJldF9jYXN0PGNoYXIqPigmKmEuYmVnaW4oKSkgPDwgc3RkOjplbmRsOyAvLyBBCiAgICAgICAgCiAgICAgICAgYS5wb3BfYmFjaygpOwogICAgICAgIGEucHVzaF9iYWNrKCpyZWludGVycHJldF9jYXN0PGNoYXIqPigmYTIpKTsKICAgICAgICBzdGQ6OmNvdXQgPDwgKGNoYXIpKmEuYmVnaW4oKSA8PCBzdGQ6OmVuZGw7IC8vIEEgYWdhaW4hCiAgICAgICAgCiAgICAgICAgLy8gQ29uY2x1c2lvbnM6IHRoZSBzdGFjayBpcyBmdW4hCn0K