Skip to content

fix: backport 2.7.1 crash fixes (macOS 26 WebView UAF + MakerWorld 3MF NULL-deref)#490

Merged
BenJule merged 2 commits into
developfrom
fix/backport-2.7.1-crash-fixes
Jun 6, 2026
Merged

fix: backport 2.7.1 crash fixes (macOS 26 WebView UAF + MakerWorld 3MF NULL-deref)#490
BenJule merged 2 commits into
developfrom
fix/backport-2.7.1-crash-fixes

Conversation

@BenJule

@BenJule BenJule commented Jun 6, 2026

Copy link
Copy Markdown
Owner

Backports my two upstream crash fixes into the fork via develop.

Both are small defensive guards, verified upstream. WebView.cpp +14, 3DScene.cpp +9.

Closes #489

BenJule added 2 commits June 7, 2026 01:26
@BenJule
fix(macos): guard WebView async callback against use-after-free
f8b648a 
On macOS 26.5+ the wxWebView created in WebView::CreateWebView can be
destroyed before the CallAfter() callback that registers the "wx" script
message handler fires. The callback captured the raw webView pointer and
called AddScriptMessageHandler() on it unconditionally, dereferencing a
dangling pointer. On Apple Silicon this trips pointer authentication and
crashes (EXC_BAD_ACCESS / PAC failure); elsewhere it shows up as a long
startup hang with steadily growing memory use.

Guard the async callback by checking g_webviews (the list of live views)
before touching the webView, and also remove a view from g_delay_webviews
in ~WebViewRef so a pending flush never reaches an already-destroyed view.

Fixes bambulab#11004
Fixes bambulab#10968
@BenJule
fix: guard load_object_volume against objects with no instances (crash)
249e8ab 
GLVolumeCollection::load_object_volume dereferences
model_object->instances[instance_idx] (e.g. instance->get_transformation())
without validating the index. An object with an empty instances vector therefore
dereferences a null/garbage ModelInstance* and crashes with EXC_BAD_ACCESS — a
jump through a null vtable to 0x0.

This happens when opening certain MakerWorld 3MFs: the object-color dialog calls
update_obj_preview_origin_thumbnail(), which calls load_object_volume() with a
hard-coded instance_idx of 0 for every object, including ones that have no
instance yet during loading.

Bail out early (returning -1, "no volume added") when model_object is null or
volume_idx / instance_idx are out of range. The three other call sites either
pass valid indices or ignore the return value.

Fixes bambulab#11016
@BenJule BenJule added this to the v02.07.00-dev milestone Jun 6, 2026
@BenJule BenJule self-assigned this Jun 6, 2026
@github-actions github-actions Bot added crash Application crash or freeze platform: macos macOS-specific issue labels Jun 6, 2026
@BenJule BenJule merged commit a202841 into develop Jun 6, 2026
6 checks passed
@BenJule BenJule deleted the fix/backport-2.7.1-crash-fixes branch June 6, 2026 23:28
@github-actions github-actions Bot added area: ui User interface / wxWidgets area: slicing Slicing engine, toolpath generation labels Jun 6, 2026
@BenJule BenJule mentioned this pull request Jun 7, 2026
Merged
BenJule added a commit that referenced this pull request Jun 7, 2026
@BenJule
Promote develop → master: publish-idempotency (#488) + 2.7.1 crash fi…
6ba3091 
…xes (#490) + path-aware CI (#492)

Validated green by develop nightly 27076845641 (26 build jobs across all platforms+archs, Publish success).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@BenJule BenJule

Labels

area: slicing Slicing engine, toolpath generation area: ui User interface / wxWidgets crash Application crash or freeze platform: macos macOS-specific issue

Projects

None yet

Milestone

v02.07.01-dev

Development

Successfully merging this pull request may close these issues.

1 participant

@BenJule