Skip to content

Fix buffer overflow in toolbar initialization (Intel Mac crash)#178

Merged
schuyler merged 1 commit intomainfrom
claude/remove-logs-from-comment-01JjWfYt9QfRFcYCwJ3oCZoh
Nov 24, 2025
Merged

Fix buffer overflow in toolbar initialization (Intel Mac crash)#178
schuyler merged 1 commit intomainfrom
claude/remove-logs-from-comment-01JjWfYt9QfRFcYCwJ3oCZoh

Conversation

@schuyler
Copy link
Copy Markdown
Owner

@schuyler schuyler commented Nov 24, 2025

Summary

Fixes the Intel Mac crash reported in #169 by adding bounds checking to prevent buffer overflow in toolbar initialization.

Root Cause

Buffer overflow in MPToolbarController.m when accessing C arrays without bounds checking:

  • Empty spaceAfterIndices[] array was accessed on every iteration
  • flexibleSpaceAfterIndices[] could overflow when k >= 5

This undefined behavior existed since 2017 but only crashed on Intel Macs after ENABLE_HARDENED_RUNTIME=YES was added in November 2025.

Changes

  • Added bounds checking using sizeof() before array access
  • Added explanatory comments documenting the fix
  • Preserves existing toolbar layout behavior

Testing

  • Code reviewed by Groucho (architect agent)
  • CI tests pass on macOS 14 and 15
  • Launch smoke test passes (validates Crash on start #169 fix)
  • Manual testing by @benel on Intel Mac

Related Issue

Related to #169

@claude
Fix buffer overflow in toolbar initialization causing Intel Mac crash
559b123 
Root cause: Accessing C arrays without bounds checking in
MPToolbarController.m, specifically:
- Empty spaceAfterIndices[] array was accessed on every iteration
- flexibleSpaceAfterIndices[] could overflow when k >= 5

This undefined behavior existed since 2017 but only manifested as a
crash on Intel Macs after ENABLE_HARDENED_RUNTIME=YES was added in
November 2025. Hardened Runtime enforces stricter memory checks,
exposing the buffer overflow.

Fix: Add bounds checking before array access using sizeof() to
calculate array lengths. This prevents all out-of-bounds access
while preserving the existing toolbar layout behavior.

Related to #169
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Nov 24, 2025
edited
Loading

Code Coverage Report

Current Coverage: 32.84%

Coverage Details (Summary) 
Name                                                                                                                                   Coverage            
-------------------------------------------------------------------------------------------------------------------------------------- ------------------- 
MASPreferences.bundle                                                                                                                  0.00% (0/0)         
MacDown 3000.app                                                                                                                       36.26% (4508/12431) 
    /Users/runner/work/macdown3000/macdown3000/MacDown/Code/Document/MPDocument.m                                                      44.73% (658/1471)   
        MPEditorPreferenceKeyWithValueKey                                                                                              85.71% (6/7)        
        MPEditorKeysToObserve                                                                                                          100.00% (14/14)     
        __MPEditorKeysToObserve_block_invoke                                                                                           100.00% (9/9)       
        MPEditorPreferencesToObserve                                                                                                   100.00% (13/13)     
        __MPEditorPreferencesToObserve_block_invoke                                                                                    100.00% (8/8)       
        MPRectStringForAutosaveName                                                                                                    100.00% (6/6)       
        MPGetWebViewBackgroundColor                                                                                                    0.00% (0/9)         
        -[NSURL(Convert) absoluteBaseURLString]                                                                                        0.00% (0/6)         
        -[WebView(Shortcut) enclosingScrollView]                                                                                       100.00% (3/3)       
        -[MPPreferences(Hoedown) extensionFlags]                                                                                       71.43% (20/28)      
        -[MPPreferences(Hoedown) rendererFlags]                                                                                        66.67% (8/12)       
        MPGetPreviewLoadingCompletionHandler                                                                                           100.00% (25/25)     
        __MPGetPreviewLoadingCompletionHandler_block_invoke                                                                            0.00% (0/22)        
        -[MPDocument preferences]                                                                                                      100.00% (3/3)       
        -[MPDocument markdown]                                                                                                         100.00% (3/3)       
        -[MPDocument setMarkdown:]                                                                                                     100.00% (3/3)       
        -[MPDocument html]                                                                                                             0.00% (0/3)         
        -[MPDocument toolbarVisible]                                                                                                   0.00% (0/3)         
        -[MPDocument previewVisible]                                                                                                   100.00% (3/3)       
        -[MPDocument editorVisible]                                                                                                    100.00% (3/3)       
        -[MPDocument needsHtml]                                                                                                        0.00% (0/5)         
        -[MPDocument setTotalWords:]                                                                                                   0.00% (0/7)         
        -[MPDocument setTotalCharacters:]                                                                                              0.00% (0/7)         
        -[MPDocument setTotalCharactersNoSpaces:]                                                                                      0.00% (0/8)         
        -[MPDocument setAutosaveName:]                                                                                                 100.00% (4/4)       
        -[MPDocument init]                                                                                                             88.89% (8/9)        
        -[MPDocument windowNibName]                                                                                                    100.00% (3/3)       
        -[MPDocument windowControllerDidLoadNib:]                                                                                      98.81% (83/84)      
        __41-[MPDocument windowControllerDidLoadNib:]_block_invoke                                                                     100.00% (4/4)       
        -[MPDocument reloadFromLoadedString]                                                                                           100.00% (8/8)       
        -[MPDocument close]                                                                                                            0.00% (0/19)        
        +[MPDocument autosavesInPlace]                                                                                                 100.00% (2/2)       
        +[MPDocument writableTypes]                                                                                                    100.00% (3/3)       
        -[MPDocument isDocumentEdited]                                                                                                 100.00% (5/5)       
        -[MPDocument writeToURL:ofType:error:]                                                                                         0.00% (0/15)        
        -[MPDocument dataOfType:error:]                                                                                                0.00% (0/3)         
        -[MPDocument readFromData:ofType:error:]                                                                                       100.00% (8/8)       
        -[MPDocument prepareSavePanel:]                                                                                                76.92% (30/39)      
        __31-[MPDocument prepareSavePanel:]_block_invoke                                                                               100.00% (12/12)     
        -[MPDocument printInfo]                                                                                                        0.00% (0/12)        
        -[MPDocument printOperationWithSettings:error:]                                                                                0.00% (0/7)         
        -[MPDocument printDocumentWithSettings:showPrintPanel:delegate:didPrintSelector:contextInfo:]                                  0.00% (0/17)        
        -[MPDocument validateUserInterfaceItem:]                                                                                       0.00% (0/32)        
        -[MPDocument splitViewDidResizeSubviews:]                                                                                      100.00% (4/4)       
        -[MPDocument textView:doCommandBySelector:]                                                                                    0.00% (0/13)        

... (2056 more lines truncated)

📊 **Full coverage report available in workflow artifacts**

@schuyler schuyler mentioned this pull request Nov 24, 2025
Closed
@schuyler schuyler merged commit 5a0bf63 into main Nov 24, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@schuyler @claude