libobs/util: Fix use-after-free in darray_insert_new

After the array is allocated in `darray_ensure_capacity`, the pointer `item` is invalid.
2024-07-14 23:34:08 +00:00 · 2023-06-10 02:02:51 +09:00 · 2023-06-10 02:02:51 +09:00 · d040de51bb
parent 2ea47bb65a
commit d040de51bb
1 changed files with 2 additions and 1 deletions
--- a/libobs/util/darray.h
+++ b/libobs/util/darray.h
@ -269,10 +269,11 @@ static inline void *darray_insert_new(const size_t element_size,
 	if (idx == dst->num)
 		return darray_push_back_new(element_size, dst);

+	darray_ensure_capacity(element_size, dst, ++dst->num);
+
 	item = darray_item(element_size, dst, idx);

 	move_count = dst->num - idx;
-	darray_ensure_capacity(element_size, dst, ++dst->num);
 	memmove(darray_item(element_size, dst, idx + 1), item,
 		move_count * element_size);