...
The C standard includes support for variable-length arrays (VLAs) [ISO/IEC 9899:2011]. If the array length is derived from an untrusted data source, an attacker can cause the process to perform an excessive allocation on the stack.
...
CERT C++ Secure Coding Standard: MEM05-CPP. Avoid large stack allocations
ISO/IEC 9899:2011 Section Section 6.7.6.2, "Array declarators," and Section 7.22.3, "Memory management functions"
...