crypto: guard WebCrypto cipher output length

panva · aduh95 · commit 98fbc892119d · 2026-06-17T18:52:23.000+02:00
Reject WebCrypto cipher operations whose computed output length would exceed INT_MAX before passing the length to OpenSSL. This avoids signed overflow in the AES and ChaCha20-Poly1305 one-shot cipher paths and turns oversized inputs into a clean operation failure. Refs: https://hackerone.com/reports/3760016 Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: nodejs-private/node-private#878 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48933
diff --git a/src/crypto/crypto_aes.cc b/src/crypto/crypto_aes.cc
@@ -118,7 +118,17 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
   }
 
   size_t total = 0;
-  int buf_len = data_len + ctx.getBlockSize() + (encrypt ? tag_len : 0);
+  const int block_size = ctx.getBlockSize();
+  if (block_size < 0) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  int buf_len;
+  if (!TryGetIntCipherOutputLength(
+          data_len,
+          static_cast<size_t>(block_size) + (encrypt ? tag_len : 0),
+          &buf_len)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
   int out_len;
 
   ncrypto::Buffer<const unsigned char> buffer = {
@@ -154,7 +164,7 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
 
   total += out_len;
   CHECK_LE(out_len, buf_len);
-  out_len = ctx.getBlockSize();
+  out_len = block_size;
   if (!ctx.update({}, ptr + total, &out_len, true)) {
     return WebCryptoCipherStatus::FAILED;
   }
diff --git a/src/crypto/crypto_chacha20_poly1305.cc b/src/crypto/crypto_chacha20_poly1305.cc
@@ -265,7 +265,17 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
   }
 
   size_t total = 0;
-  int buf_len = data_len + ctx.getBlockSize() + (encrypt ? tag_len : 0);
+  const int block_size = ctx.getBlockSize();
+  if (block_size < 0) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  int buf_len;
+  if (!TryGetIntCipherOutputLength(
+          data_len,
+          static_cast<size_t>(block_size) + (encrypt ? tag_len : 0),
+          &buf_len)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
   int out_len;
 
   // Process additional authenticated data if present
@@ -295,7 +305,7 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
 
   total += out_len;
   CHECK_LE(out_len, buf_len);
-  out_len = ctx.getBlockSize();
+  out_len = block_size;
   if (!ctx.update({}, ptr + total, &out_len, true)) {
     return WebCryptoCipherStatus::FAILED;
   }
diff --git a/src/crypto/crypto_cipher.h b/src/crypto/crypto_cipher.h
@@ -10,6 +10,7 @@
 #include "memory_tracker.h"
 #include "v8.h"
 
+#include <climits>
 #include <string>
 
 namespace node {
@@ -124,6 +125,18 @@ enum class WebCryptoCipherStatus {
   FAILED
 };
 
+inline bool TryGetIntCipherOutputLength(size_t input_len,
+                                        size_t output_overhead,
+                                        int* output_len) {
+  static constexpr size_t kMaxLength = INT_MAX;
+  if (output_overhead > kMaxLength ||
+      input_len > kMaxLength - output_overhead) {
+    return false;
+  }
+  *output_len = static_cast<int>(input_len + output_overhead);
+  return true;
+}
+
 // CipherJob is a base implementation class for implementations of
 // one-shot sync and async ciphers. It has been added primarily to
 // support the AES and RSA ciphers underlying the WebCrypt API.
diff --git a/test/cctest/test_node_crypto.cc b/test/cctest/test_node_crypto.cc
@@ -2,10 +2,13 @@
 // and setting it to a file that does not exist.
 #define NODE_OPENSSL_SYSTEM_CERT_PATH "/missing/ca.pem"
 
+#include "crypto/crypto_cipher.h"
 #include "crypto/crypto_context.h"
+#include "gtest/gtest.h"
 #include "node_options.h"
 #include "openssl/err.h"
-#include "gtest/gtest.h"
+
+#include <climits>
 
 /*
  * This test verifies that a call to NewRootCertDir with the build time
@@ -48,3 +51,17 @@ TEST(NodeCrypto, MemoryTrackingConstants) {
   EXPECT_EQ(node::crypto::kSizeOf_X509, 128);
   EXPECT_EQ(node::crypto::kSizeOf_EVP_MD_CTX, 48);
 }
+
+TEST(NodeCrypto, TryGetIntCipherOutputLength) {
+  int output_len = 0;
+
+  EXPECT_TRUE(
+      node::crypto::TryGetIntCipherOutputLength(INT_MAX - 16, 16, &output_len));
+  EXPECT_EQ(output_len, INT_MAX);
+
+  EXPECT_FALSE(
+      node::crypto::TryGetIntCipherOutputLength(INT_MAX - 15, 16, &output_len));
+
+  EXPECT_FALSE(node::crypto::TryGetIntCipherOutputLength(
+      0, static_cast<size_t>(INT_MAX) + 1, &output_len));
+}
