sprintf with user controlled format string is unsafe

[Aeledfyr]

PlotPieChart and RenderHeatmap call sprintf with a provided format string, which is unsafe.

implot/implot_items.cpp

Line 1909 in 4fcc6e0

sprintf(buffer, fmt, (double)values[i]);

implot/implot_items.cpp

Line 2063 in 4fcc6e0

sprintf(buff, fmt, values[i]);

This can lead to a simple buffer overflow, if the provided format string causes >32 characters of output, but it may also allow writing to arbitrary memory locations by using %n and reading local stack addresses using %p.

I don't know if there are ways to handle the second two issues, but using snprintf instead of sprintf should prevent potential buffer overflows.

[epezent]

168244e makes the change to snprintf. Regarding the second issue, ImGui allows users to provide custom format strings throughout its API for various widgets. Do those functions also present the same issue, or is ImGui taking special precauations we should also be taking?

[epezent]

Curious, I followed ImGui's format strings all the way through and it doesn't seem ImGui is doing anything special -- all format strings go to vsnprintf without additional checks.

In doing so, I discovered that ImGui wraps raw calls to vsnprintf inside of ImFormatString, which can be override by the user using imconfig.h. I have decided to replace all of our calls to snprintf with ImFormatString so that ImPlot will also honor the user's override (86f4dd6). I suppose one could intercept malicious format arguements there if desired.