Yes this code is leaky.
vsnprintf can return a negative number on error. In VC++, vsnprintf returns -1 when the target buffer is too small which break the logic in this code... See here: MSDN The VC implementation doesn't agree with the C standard...
Other sources for vsnprintf failure is sending a NULL 'format' buffer or bad encoding in the format buffer.