According to the C standard [ISO/IEC 9899-:2011], the behavior of a program that uses the value of a pointer that refers to space deallocated by a call to the free() or realloc() function is undefined. (See undefined behavior 177 of Annex J.)
...
In this noncompliant example (CVE-2009-1364) from libwmf version 0.2.8.4, the return value of gdRealloc (a simple wrapper around realloc which reallocates space pointed to by im->clip->list) is set to more. However, the value of im->clip->list is used directly afterwards in the code, and ISO/IEC 9899:2011 specifies that if realloc moves the area pointed to, then the original is freed. An attacker can then execute arbitrary code by forcing a reallocation (with a sufficient im->clip->count) and accessing freed memory [xorl 2009].
...
CERT C++ Secure Coding Standard: MEM30-CPP. Do not access freed memory
ISO/IEC 9899:2011 Section Section 7.22.3.3, "The free function"
...
[Kernighan 1988] Section 7.8.5, "Storage management"
[OWASP Freed Memory]
[Seacord 2005a] Chapter 4, "Dynamic Memory Management"
[Viega 2005] Section 5.2.19, "Using freed memory"
[xorl 2009] "CVE-2009-1364: LibWMF Pointer Use after free()"
...