PlotPieChart and RenderHeatmap call sprintf with a provided format string, which is unsafe.

This can lead to a simple buffer overflow, if the provided format string causes >32 characters of output, but it may also allow writing to arbitrary memory locations by using %n and reading local stack addresses using %p.

I don't know if there are ways to handle the second two issues, but using snprintf instead of sprintf should prevent potential buffer overflows.