...
It is common for an array variable to be declared with both a string literal, and a size index which specifies the number of characters in the string literal. This is one too few characters to hold the string, since it does not account for the terminating null character. This Such a sequence of characters has limited utility and has the potential to cause vulnerabilities when if a null-terminated byte string is assumed. Consequently, this practice is disallowed by this Secure Coding standardThus, the size index for a character array must never be explicit.
A better approach is to not specify the dimension of a string initialized with a string literal, as the compiler will automatically allocate sufficient space for the entire string literal, including the terminating null character.
...
Non-Compliant Code Example
This The following non-compliant code example initializes an array of characters using a string literal that defines one more character (counting the terminating '\0') than the array can hold.
...