There are a number of “potential” issues here, non of them is actually infinging anything but you may find things not behaving as you expect.

First: wsprintf, as a Win32 API (http://msdn.microsoft.com/en-us/library/windows/desktop/ms647550(v=vs.85).aspx ) is prototyped as:

int __cdecl wsprintf(
  _Out_  LPTSTR lpOut,
  _In_   LPCTSTR lpFmt,
  _In_    ...
);

where LPTSTR is defined as char* or wchar_t* depending on the definition or not of the UNICODE symbol (check your propject settings and / or build commands)

Now, in case you are on an ANSI build (no UNICODE) all types are coherent, but there is no check about wsprintf writing more than the 128 char you allocated. If you just write a decimal integer it will have no problem, but if you (of somebody else after you) modify later the “message” and no checks are made, some surprises may arise (like wsprintf(sp,"This is the number I've been told I was supposed to be expected to be: %d",x); will this still fits the 128 chars?!? )

In case you are on a UNICODE build, you allocate 128 char, and write a double-byte string on it. The number 22 will be written as \x32\x00\x32\x00\x00\x00 (3200 is the little-endian coding for 0x0032 that is the wchar_t correponding to the UNICODE 50 that stands for ‘2’).
If you give that sequence to cout (that is char based, not wchar_t based) will see the first \x00 as a string terminator and will output … just ‘2’.

To be coherent, you shold either:

• use all char based types and function (OK malloc and cout, but wsprintfA instead of wsprintf)
• use all wchar_t based types and function (malloc(128*sizeof(wchar_t)), wchar_t* and wsprintfW)
• use all TCHAR based types (malloc(128*sizeof(TCHAR)), TCHAR* and wsprintf, but define tcout as cout or wcout depending on UNICODE).