Basically for the whole program. Printf starts taking arguments off the stack and, in this case, takes an int worth too much. That’s usually something like the return address. So when the printf returns, it returns to whatever random number happens to be next on the stack. The usual result — if you’re lucky — is a segmentation fault.

Because it pushes arguments onto the stack, it pops them off, so it tries to get the int first.

If you’re not lucky, it finds an addressable chunk of code. That leads to your second case, where the address becomes the address of that hash of random characters. Now it’s going to try to print a string until it find a random NUL character.

Update

As Joachim points out, the specifics of this are determined by the calling convention, so let’s make an explicit example. When the printf function is to be called, either the return address is pushed first or its pushed last. We assume it’s pushed first (more common on the usual architecture), so this call is going to need PUSH return-address, PUSH address of the format string, PUSH an int value — let’s say 42. That gives us this stack:

RTN ADDR
ADDR OF STRING
42

and leaves the stack pointer SP pointing to the next location on the stack.

Now the printf starts to interpret the string. It looks for the address of the int parameter, and figures out it’s SP-1. So the address of the string parameter must be SP-2 … but that’s the address of the format string, since there is no string parameter. Then when it looks for the address of the format string, it wants to find SP-3, but that’s the return address, an address of executable code. That should, on most any machine, cause a segmentation fault.

If you go through the other options for calling convention, you’ll find every one of them looks at some wrong thing, because no matter what, printf thinks it needs to refer to three things off the stack, not the two it has.