Many free()'s store the length at the address right before the allocated space. (Often aligned on a nice boundary.) If you reference element -1 in your malloc'ed array, you may destroy the length, and cause lots of strange effects.