It really depends on whats on the stack, which determines how many bytes you have to overwrite at a minimum. function params and local variables will be in the way of the stack pointer, which is what your trying to overwrite correct? I would say overflow it with 1k of the same repreating byte pattern and step with gdb or some other debugger to get a stack trace.
ex1. (you need to write past the array, sizeof(int) bytes to get to the stack pointer.)
void testFunction(int arg0){
char overflow[16] = {0};
char HUGE_ARRAY[10000] = {0};// what does the stack look like in this case? This giant block of memory should be on the stack AFTER your target array
//do something that allows the user to overflow the overflow array for w/e reason
}
ex2. (you need to write past the array, sizeof(int) bytes + 10000 bytes to get to the stack pointer.)
void testFunction(int arg0){
char HUGE_ARRAY[10000] = {0};// what does the stack look like in this case? This giant block of memory should be on the stack BEFORE your target array.
char overflow[16] = {0};
//do something that allows the user to overflow the overflow array for w/e reason
}
If you know the target environment (sizeof int is known for example), the number and type of function params, and the number and type of local variables poped on the stack when you enter the function whos stack pointer your trying to overwrite, then you can theoretically write the exact bytes of the function's stack pointer.
Alternatively, you can figure this out by write 0x00 values past the overflow buffer and increasing the distance PAST the 16 bytes every time, until you seg fault. Once you seg fault you have found the function's stack pointer.
In general, the stack grows by popping on the following things in the following order: return address-> function params-> locals.
In your case, you can probably test it by writing more bytes than you need. (will work as long as <4k was allocated to this functions stack prior to overflow being popped on the stack)
for (offset = 0; offset < 1000; offset++){
(int)(*overflow + 4 + offset) = 0x1234B000;
}
GL.