There's a pretty common pattern used to allocate an array of n objects of type T: malloc(sizeof(T) * n)
A very large n can cause an overflow of the size_t passed to malloc(). An attacker who controls n can cause a smaller memory area to be allocated, leading to a buffer overflow when the application tries to use that shiny new buffer.