From 6892f42042d874f6fc696877ccb96e8ad9b941d7 Mon Sep 17 00:00:00 2001
From: Herrtian <70463940+Herrtian@users.noreply.github.com>
Date: Sun, 24 May 2026 20:15:07 +0200
Subject: [PATCH] crypto: handle cipher context allocation failures

Signed-off-by: Herrtian <70463940+Herrtian@users.noreply.github.com>
---
 src/crypto/crypto_aes.cc               |  4 +++-
 src/crypto/crypto_chacha20_poly1305.cc |  4 +++-
 src/crypto/crypto_cipher.cc            | 10 +++++++++-
 3 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/crypto/crypto_aes.cc b/src/crypto/crypto_aes.cc
index 9172def7d4ebee..2f8f9571c6d2db 100644
--- a/src/crypto/crypto_aes.cc
+++ b/src/crypto/crypto_aes.cc
@@ -48,7 +48,9 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
   CHECK_EQ(key_data.GetKeyType(), kKeyTypeSecret);
 
   auto ctx = CipherCtxPointer::New();
-  CHECK(ctx);
+  if (!ctx) {
+    return WebCryptoCipherStatus::FAILED;
+  }
 
   if (params.cipher.isWrapMode()) {
     ctx.setAllowWrap();
diff --git a/src/crypto/crypto_chacha20_poly1305.cc b/src/crypto/crypto_chacha20_poly1305.cc
index cfe43122d5aa55..7393c10f3c51ea 100644
--- a/src/crypto/crypto_chacha20_poly1305.cc
+++ b/src/crypto/crypto_chacha20_poly1305.cc
@@ -222,7 +222,9 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
   return WebCryptoCipherStatus::OK;
 #else
   auto ctx = CipherCtxPointer::New();
-  CHECK(ctx);
+  if (!ctx) {
+    return WebCryptoCipherStatus::FAILED;
+  }
 
   const bool encrypt = cipher_mode == kWebCryptoCipherEncrypt;
 
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index dec72c20412e4e..a165e8e3409d6f 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -93,6 +93,11 @@ void GetCipherInfo(const FunctionCallbackInfo<Value>& args) {
     // If it is, then the getCipherInfo will succeed with the given
     // values.
     auto ctx = CipherCtxPointer::New();
+    if (!ctx) {
+      return THROW_ERR_CRYPTO_OPERATION_FAILED(
+          env, "Failed to allocate cipher context");
+    }
+
     if (!ctx.init(cipher, true)) {
       return;
     }
@@ -338,7 +343,10 @@ void CipherBase::CommonInit(const char* cipher_type,
   MarkPopErrorOnReturn mark_pop_error_on_return;
   CHECK(!ctx_);
   ctx_ = CipherCtxPointer::New();
-  CHECK(ctx_);
+  if (!ctx_) {
+    return THROW_ERR_CRYPTO_OPERATION_FAILED(
+        env(), "Failed to allocate cipher context");
+  }
 
   if (cipher.isWrapMode()) {
     ctx_.setAllowWrap();