...
Because malloc() is only called if p is NULL when entering the if clause, free() might be called with a pointer to local data not allocated by malloc(). (See guideline rule MEM34-C. Only free memory allocated dynamically.) This is partially due to the uncertainty of whether malloc() is actually called or not.
...
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: EXP02-CPP. Be aware of the short-circuit behavior of the logical AND and OR operators
Bibliography
MITRE CWE: CWE-768, "Incorrect Short Circuit Evaluation"
ISO/IEC 9899:1999 Section Wiki Markup
Bibliography
...
EXP01-C. Do not take the size of a pointer to determine the size of the pointed-to type 03. Expressions (EXP)