The result of calling malloc(0) or calling calloc() to allocate 0 bytes (calloc(1,0) and , calloc(0,0), or calloc(0,1)) is undefined. From a practical standpoint, allocating 0 bytes with calloc(0) and malloc(0) can lead to programming errors with critical security implications, such as buffer overflows. This occurs because the result of allocating 0 bytes with calloc(0) and malloc(0) may not considered an error, thus the pointer returned may not be NULL. Instead, the pointer may reference a block of memory on the heap of size zero. If memory is fetched from, or stored in this a location serious error could occur. Numerous, vulnerabilities may allow calloc(0) or malloc(0) to occurthe allocation of 0 bytes with calloc and malloc, such as VU#179014, VU#226184, and VU#855118.
...