He's not starting from a vulnerability offering code execution; it's a memory corruption vulnerability (it's effectively a heap write).