Barcodes as an attack vector?
Yes, barcode scanners present a potential vulnerability. You need to prevent attacks from this vector in the same way you'd prevent attacks from any input vector, such as a network connection or a keyboard.
Validate inputs in the app, not the scanner. Do not rely on configuring the scanner to only deliver 12 digit UPC-A barcodes. As every web app developer quickly learns, trusting the client to perform input sanitization is a giant security hole. Use length checks in the app to ensure that buffer overflows can't be exploited. Perform white-listing value checks to make sure you don't have out-of-bounds characters (for example, if you're expecting the user to scan only a product UPC-A or EAN-13 barcode, you should throw an exception if the input detects any non-digit values.)
Code defensively. Just as with a web app, you need to make secure coding choices such as parameterized SQL. You should already be doing this to protect against keyboard-entered SQL injection attacks; barcodes are nothing special here.
Harden your devices. Most barcode scanners are initially configured by scanning a series of special manufacturer provided barcodes (your scanners' documentation will describe these symbols.) Read the scanners' documentation to find the way to configure the scanners from the host computer via the data connection. Once you can configure the scanners from the computer, do so. Among the configuration items to set, you should disable the scanner's ability to read the configuration barcodes.
Many barcode scanners are treated by the operating system as a type of keyboard. This gives them exactly the same attack surface as somebody typing in the barcode's information at the keyboard. As an extreme example, a barcode scanner that understands byte-mode PDF 417 or binary QR code could command the computer to exit the current program, launch Internet Explorer, download a program from the website of the attacker's choice, and run that program.
Barcode is just a representation of input.
are barcodes a vulnerability? could be written as are inputs a vulnerability?. In itself no, but it's an attack vector.
Barcodes normally encode numerical, string or binary data. In addition to how that data can be used for exploitation at different levels (you mention buffer overflow, but it goes way up the software chain - barcodes can include URLs that are interpreted by OS/browser, and later by software on server side), also consider the parsing of barcodes itself, which might contain out of bounds accesses, overflows etc.
Prevention? As always, input validation an sanitation.