From 78ab09ab5eb498cbf38112642eacce94fad865b2 Mon Sep 17 00:00:00 2001
From: armorbreak001 <contact@agentvote.cc>
Date: Thu, 30 Apr 2026 04:59:50 +0800
Subject: [PATCH] crypto,quic: add NULL checks for OpenSSL allocation functions

Replace CHECK() assertions with graceful error handling for
EVP_CIPHER_CTX_new() allocation failures.

- src/crypto/crypto_aes.cc: In AES_Cipher(), replace CHECK(ctx)
  with early return of WebCryptoCipherStatus::FAILED, matching
  the pattern already used in AES_CTR_Cipher2() in the same file.

- src/crypto/crypto_cipher.cc: In CipherBase::CommonInit(),
  replace CHECK(ctx_) with ThrowCryptoError(), matching the error
  handling pattern used elsewhere in the function.

Note: The other locations mentioned in #62774 (AES_CTR_Cipher2,
TLSSession::Initialize, and ECKeyExportTraits::DoExport) already
have proper NULL checks in the current codebase or have been
refactored such that the relevant code no longer exists.

Fixes: https://github.com/nodejs/node/issues/62774
---
 src/crypto/crypto_aes.cc    | 4 +++-
 src/crypto/crypto_cipher.cc | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/crypto/crypto_aes.cc b/src/crypto/crypto_aes.cc
index fa619696ffd5b2..1d601eadfe71e8 100644
--- a/src/crypto/crypto_aes.cc
+++ b/src/crypto/crypto_aes.cc
@@ -48,7 +48,9 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
   CHECK_EQ(key_data.GetKeyType(), kKeyTypeSecret);
 
   auto ctx = CipherCtxPointer::New();
-  CHECK(ctx);
+  if (!ctx) {
+    return WebCryptoCipherStatus::FAILED;
+  }
 
   if (params.cipher.isWrapMode()) {
     ctx.setAllowWrap();
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index 638dda0ad10593..83eb48a307931a 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -338,7 +338,11 @@ void CipherBase::CommonInit(const char* cipher_type,
   MarkPopErrorOnReturn mark_pop_error_on_return;
   CHECK(!ctx_);
   ctx_ = CipherCtxPointer::New();
-  CHECK(ctx_);
+  if (!ctx_) {
+    return ThrowCryptoError(env(),
+                            mark_pop_error_on_return.peekError(),
+                            "Failed to allocate cipher context");
+  }
 
   if (cipher.isWrapMode()) {
     ctx_.setAllowWrap();