From 8bf203d0eaa0d806761e546bc20c4877e1d0e94e Mon Sep 17 00:00:00 2001
From: IFAKA <facundoarenas29@gmail.com>
Date: Fri, 19 Dec 2025 01:08:29 +0100
Subject: [PATCH] Add bounds checking for toc and spine array access

getSpineIndexForTocIndex() and getTocIndexForSpineIndex() accessed
toc[tocIndex] and spine[spineIndex] without validating the index
was within bounds. This could cause crashes with malformed EPUBs
or unexpected input.
---
 lib/Epub/Epub.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/Epub/Epub.cpp b/lib/Epub/Epub.cpp
index 1477d72..408ebf8 100644
--- a/lib/Epub/Epub.cpp
+++ b/lib/Epub/Epub.cpp
@@ -322,6 +322,11 @@ int Epub::getTocItemsCount() const { return toc.size(); }
 
 // work out the section index for a toc index
 int Epub::getSpineIndexForTocIndex(const int tocIndex) const {
+  if (tocIndex < 0 || tocIndex >= toc.size()) {
+    Serial.printf("[%lu] [EBP] getSpineIndexForTocIndex: tocIndex %d out of range\n", millis(), tocIndex);
+    return 0;
+  }
+
   // the toc entry should have an href that matches the spine item
   // so we can find the spine index by looking for the href
   for (int i = 0; i < spine.size(); i++) {
@@ -336,6 +341,11 @@ int Epub::getSpineIndexForTocIndex(const int tocIndex) const {
 }
 
 int Epub::getTocIndexForSpineIndex(const int spineIndex) const {
+  if (spineIndex < 0 || spineIndex >= spine.size()) {
+    Serial.printf("[%lu] [EBP] getTocIndexForSpineIndex: spineIndex %d out of range\n", millis(), spineIndex);
+    return -1;
+  }
+
   // the toc entry should have an href that matches the spine item
   // so we can find the toc index by looking for the href
   for (int i = 0; i < toc.size(); i++) {