Skip to content

fix: guard load_object_volume against objects with no instances (crash opening some MakerWorld 3MFs)#11053

Merged
lanewei120 merged 1 commit into
bambulab:masterfrom
BenJule:fix/objcolor-thumbnail-instances-crash
Jun 11, 2026
Merged

fix: guard load_object_volume against objects with no instances (crash opening some MakerWorld 3MFs)#11053
lanewei120 merged 1 commit into
bambulab:masterfrom
BenJule:fix/objcolor-thumbnail-instances-crash

Conversation

@BenJule

@BenJule BenJule commented Jun 6, 2026

Copy link
Copy Markdown
Contributor

Problem

Opening certain MakerWorld 3MFs crashes BambuStudio while loading. From the crash report in #11016 (macOS, Apple Silicon):

Exception Type:  EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000000

0   ???                 0x0  ???
1   GLVolumeCollection::load_object_volume(...)
2   Plater::update_obj_preview_origin_thumbnail(...)
3   ObjColorPanel::generate_origin_thumbnail()
4   ObjColorPanel::ObjColorPanel(...)
...
9   GUI_App::handle_web_request(...)   // opened from MakerWorld

Root cause

GLVolumeCollection::load_object_volume dereferences model_object->instances[instance_idx] and later calls instance->get_transformation() without validating the index:

const ModelInstance *instance = model_object->instances[instance_idx];
...
v.set_instance_transformation(instance->get_transformation());   // crash if instance is garbage

Plater::update_obj_preview_origin_thumbnail (and update_obj_preview_thumbnail) call this with a hard-coded instance_idx = 0 for every object. An object that has no instance yet during loading makes instances[0] undefined behaviour → a null/garbage ModelInstance* → the jump-to-0x0 crash above.

Fix

A defensive guard at the top of load_object_volume: return early (-1, "no volume added") when model_object is null or volume_idx / instance_idx are out of range. The three call sites either pass valid indices or ignore the return value, so the healthy path is unchanged.

Fixes #11016

It may also be the cause of the intermittent MakerWorld-3MF import crash in #11025, though I have not confirmed that from a stack trace.

GLVolumeCollection::load_object_volume dereferences
model_object->instances[instance_idx] (e.g. instance->get_transformation())
without validating the index. An object with an empty instances vector therefore
dereferences a null/garbage ModelInstance* and crashes with EXC_BAD_ACCESS — a
jump through a null vtable to 0x0.

This happens when opening certain MakerWorld 3MFs: the object-color dialog calls
update_obj_preview_origin_thumbnail(), which calls load_object_volume() with a
hard-coded instance_idx of 0 for every object, including ones that have no
instance yet during loading.

Bail out early (returning -1, "no volume added") when model_object is null or
volume_idx / instance_idx are out of range. The three other call sites either
pass valid indices or ignore the return value.

Fixes bambulab#11016
BenJule added a commit to BenJule/BambuStudio that referenced this pull request Jun 6, 2026
…F NULL-deref) (#490)

Backports my two upstream crash fixes into the fork via develop.

- **WebView use-after-free** (macOS 26.5+ PAC crash / hang) — upstream
bambulab#11052, bambulab bambulab#11004/bambulab#10968
- **load_object_volume NULL-deref** (MakerWorld 3MF crash) — upstream
bambulab#11053, bambulab bambulab#11016/bambulab#11037

Both are small defensive guards, verified upstream. WebView.cpp +14,
3DScene.cpp +9.

Closes #489
@lanewei120 lanewei120 merged commit e971e5f into bambulab:master Jun 11, 2026
14 of 17 checks passed
@lanewei120

Copy link
Copy Markdown
Collaborator

thanks

@guanyun-gudujian

Copy link
Copy Markdown
Contributor

approved

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants