fix: guard load_object_volume against objects with no instances (crash opening some MakerWorld 3MFs)#11053
Merged
lanewei120 merged 1 commit intoJun 11, 2026
Conversation
GLVolumeCollection::load_object_volume dereferences model_object->instances[instance_idx] (e.g. instance->get_transformation()) without validating the index. An object with an empty instances vector therefore dereferences a null/garbage ModelInstance* and crashes with EXC_BAD_ACCESS — a jump through a null vtable to 0x0. This happens when opening certain MakerWorld 3MFs: the object-color dialog calls update_obj_preview_origin_thumbnail(), which calls load_object_volume() with a hard-coded instance_idx of 0 for every object, including ones that have no instance yet during loading. Bail out early (returning -1, "no volume added") when model_object is null or volume_idx / instance_idx are out of range. The three other call sites either pass valid indices or ignore the return value. Fixes bambulab#11016
This was referenced Jun 6, 2026
Backport 2.7.1 crash fixes: macOS 26 WebView UAF + MakerWorld 3MF NULL-deref
BenJule/BambuStudio#489
Closed
BenJule
added a commit
to BenJule/BambuStudio
that referenced
this pull request
Jun 6, 2026
…F NULL-deref) (#490) Backports my two upstream crash fixes into the fork via develop. - **WebView use-after-free** (macOS 26.5+ PAC crash / hang) — upstream bambulab#11052, bambulab bambulab#11004/bambulab#10968 - **load_object_volume NULL-deref** (MakerWorld 3MF crash) — upstream bambulab#11053, bambulab bambulab#11016/bambulab#11037 Both are small defensive guards, verified upstream. WebView.cpp +14, 3DScene.cpp +9. Closes #489
Collaborator
|
thanks |
Contributor
|
approved |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Opening certain MakerWorld 3MFs crashes BambuStudio while loading. From the crash report in #11016 (macOS, Apple Silicon):
Root cause
GLVolumeCollection::load_object_volumedereferencesmodel_object->instances[instance_idx]and later callsinstance->get_transformation()without validating the index:Plater::update_obj_preview_origin_thumbnail(andupdate_obj_preview_thumbnail) call this with a hard-codedinstance_idx = 0for every object. An object that has no instance yet during loading makesinstances[0]undefined behaviour → a null/garbageModelInstance*→ the jump-to-0x0crash above.Fix
A defensive guard at the top of
load_object_volume: return early (-1, "no volume added") whenmodel_objectis null orvolume_idx/instance_idxare out of range. The three call sites either pass valid indices or ignore the return value, so the healthy path is unchanged.Fixes #11016
It may also be the cause of the intermittent MakerWorld-3MF import crash in #11025, though I have not confirmed that from a stack trace.