Here is change requests disassembly:
So this function starts off getting user input and making sure that the pointer at that index is valid and within range. Once it has done that, it prompts for user input and reads in at most 0x80 characters. Remember that the original function that malloc'd the space malloc'd 0x38 bytes, so this is again an overwrite. This is more interesting now, since we have the ability to go back and overflow a buffer with a known malloc space after it. This means we have the opportunity to overwrite malloc control structures.