The static analysis tool we use is flagging C code similar to the following as a critical buffer overflow.
#define size 64
char buf [size + 1] = "";
memset (buf, 0, size + 1);
The tool's error message is: Buffer Overflow (Array Index Out of Bounds): The array 'buf' size is 1. Array 'buf' may use the 0..64 index.
Is this legitimate? Does the assignment of the character array to the empty string really result in its length being reduced to a single byte, as if it were defined as char buf [] = "";
?