...
Care must be taken to ensure that the size is valid for the array. If these parameters can be manipulated by an attacker, this function will almost always result in an exploitable vulnerability.
References
- ISO/IEC 9899-1999 Section 6.7.5.2 Array declarators