That piece of code likely gathers all the key recovery candidates it can from the signature, hashes and tests each one against the hash in the address to find the correct key. Then it performs the verification. Obviously the verification would fail if none of the keys hash to the hash contained in the address.

I don't know how the public key has been obtained, but it's present in many places in the Internet (blockchain.info, blockr.io, etc..).