As far as the ISO C standard (the official definition of the language) is concerned, accessing an array outside its bounds has “undefined behavior“. The literal meaning of this is:
behavior, upon use of a nonportable or erroneous program construct or
of erroneous data, for which this International Standard imposes no
requirements
A non-normative note expands on this:
Possible undefined behavior ranges from ignoring the situation
completely with unpredictable results, to behaving during translation
or program execution in a documented manner characteristic of the
environment (with or without the issuance of a diagnostic message), to
terminating a translation or execution (with the issuance of a
diagnostic message).
So that’s the theory. What’s the reality?
In the “best” case, you’ll access some piece of memory that’s either owned by your currently running program (which might cause your program to misbehave), or that’s not owned by your currently running program (which will probably cause your program to crash with something like a segmentation fault). Or you might attempt to write to memory that your program owns, but that’s marked read-only; this will probably also cause your program to crash.
That’s assuming your program is running under an operating system that attempts to protect concurrently running processes from each other. If your code is running on the “bare metal”, say if it’s part of an OS kernel or an embedded system, then there is no such protection; your misbehaving code is what was supposed to provide that protection. In that case, the possibilities for damage are considerably greater, including, in some cases, physical damage to the hardware (or to things or people nearby).
Even in a protected OS environment, the protections aren’t always 100%. There are operating system bugs that permit unprivileged programs to obtain root (administrative) access, for example. Even with ordinary user privileges, a malfunctioning program can consume excessive resources (CPU, memory, disk), possibly bringing down the entire system. A lot of malware (viruses, etc.) exploits buffer overruns to gain unauthorized access to the system.
(One historical example: I’ve heard that on some old systems with core memory, repeatedly accessing a single memory location in a tight loop could literally cause that chunk of memory to melt. Other possibilities include destroying a CRT display, and moving the read/write head of a disk drive with the harmonic frequency of the drive cabinet, causing it to walk across a table and fall onto the floor.)
And there’s always Skynet to worry about.
The bottom line is this: if you could write a program to do something bad deliberately, it’s at least theoretically possible that a buggy program could do the same thing accidentally.
In practice, it’s very unlikely that your buggy program running on a MacOS X system is going to do anything more serious than crash. But it’s not possible to completely prevent buggy code from doing really bad things.