...
If the vulnerable program references memory offset from the return value, an attacker can exploit the program to read or write arbitrary memory. This vulnerability has been used to execute arbitrary code [VU#159523].
...
| [ISO/IEC 14882-2014] | 18.6.1.1, "Single-object Object Forms" |
| [ISO/IEC 9899:2011] | Section 7.20.3, "Memory Management Functions" |
| [Meyers 95] | Item 7: , Be prepared for out-of-memory conditions. |
| [Seacord 2013b] | Chapter 4, "Dynamic Memory Management" |
...