From b7db0e3c034eff6eceecb7980346216d62aa36f9 Mon Sep 17 00:00:00 2001
From: RoomWithOutRoof <yueyue@sparkx.link>
Date: Sun, 19 Apr 2026 10:38:49 +0800
Subject: [PATCH] crypto: replace CHECK with NULL checks for EVP_CIPHER_CTX_new
 allocations

Replace CHECK() assertions with proper NULL checks and error returns
for EVP_CIPHER_CTX_new() allocations. CHECK() causes an abort()
on failure, which is not appropriate for recoverable allocation failures.
Instead, return a failure status or throw a proper crypto error.

Fixes: nodejs/node#62774
---
 src/crypto/crypto_aes.cc    | 4 +++-
 src/crypto/crypto_cipher.cc | 6 +++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/crypto/crypto_aes.cc b/src/crypto/crypto_aes.cc
index fa619696ffd5b2..1d601eadfe71e8 100644
--- a/src/crypto/crypto_aes.cc
+++ b/src/crypto/crypto_aes.cc
@@ -48,7 +48,9 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
   CHECK_EQ(key_data.GetKeyType(), kKeyTypeSecret);
 
   auto ctx = CipherCtxPointer::New();
-  CHECK(ctx);
+  if (!ctx) {
+    return WebCryptoCipherStatus::FAILED;
+  }
 
   if (params.cipher.isWrapMode()) {
     ctx.setAllowWrap();
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
index 638dda0ad10593..8d93e845322f28 100644
--- a/src/crypto/crypto_cipher.cc
+++ b/src/crypto/crypto_cipher.cc
@@ -338,7 +338,11 @@ void CipherBase::CommonInit(const char* cipher_type,
   MarkPopErrorOnReturn mark_pop_error_on_return;
   CHECK(!ctx_);
   ctx_ = CipherCtxPointer::New();
-  CHECK(ctx_);
+  if (!ctx_) {
+    return ThrowCryptoError(env(),
+                            mark_pop_error_on_return.peekError(),
+                            "EVP_CIPHER_CTX_new");
+  }
 
   if (cipher.isWrapMode()) {
     ctx_.setAllowWrap();