crypto: guard WebCrypto cipher output length

Reject WebCrypto cipher operations whose computed output length would
exceed INT_MAX before passing the length to OpenSSL.

This avoids signed overflow in the AES and ChaCha20-Poly1305 one-shot
cipher paths and turns oversized inputs into a clean operation failure.

Refs: https://hackerone.com/reports/3760016
Signed-off-by: Filip Skokan <panva.ip@gmail.com>
PR-URL: nodejs-private/node-private#878
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
CVE-ID: CVE-2026-48933

Author: panva

src/crypto/crypto_aes.cc

@@ -120,7 +120,17 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
   }
 
   size_t total = 0;
-  int buf_len = data_len + ctx.getBlockSize() + (encrypt ? tag_len : 0);
+  const int block_size = ctx.getBlockSize();
+  if (block_size < 0) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  int buf_len;
+  if (!TryGetIntCipherOutputLength(
+          data_len,
+          static_cast<size_t>(block_size) + (encrypt ? tag_len : 0),
+          &buf_len)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
   int out_len;
 
   ncrypto::Buffer<const unsigned char> buffer = {
@@ -156,7 +166,7 @@ WebCryptoCipherStatus AES_Cipher(Environment* env,
 
   total += out_len;
   CHECK_LE(out_len, buf_len);
-  out_len = ctx.getBlockSize();
+  out_len = block_size;
   if (!ctx.update({}, ptr + total, &out_len, true)) {
     return WebCryptoCipherStatus::FAILED;
   }

src/crypto/crypto_chacha20_poly1305.cc

@@ -267,7 +267,17 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
   }
 
   size_t total = 0;
-  int buf_len = data_len + ctx.getBlockSize() + (encrypt ? tag_len : 0);
+  const int block_size = ctx.getBlockSize();
+  if (block_size < 0) {
+    return WebCryptoCipherStatus::FAILED;
+  }
+  int buf_len;
+  if (!TryGetIntCipherOutputLength(
+          data_len,
+          static_cast<size_t>(block_size) + (encrypt ? tag_len : 0),
+          &buf_len)) {
+    return WebCryptoCipherStatus::FAILED;
+  }
   int out_len;
 
   // Process additional authenticated data if present
@@ -297,7 +307,7 @@ WebCryptoCipherStatus ChaCha20Poly1305CipherTraits::DoCipher(
 
   total += out_len;
   CHECK_LE(out_len, buf_len);
-  out_len = ctx.getBlockSize();
+  out_len = block_size;
   if (!ctx.update({}, ptr + total, &out_len, true)) {
     return WebCryptoCipherStatus::FAILED;
   }

src/crypto/crypto_cipher.h

@@ -10,6 +10,7 @@
 #include "memory_tracker.h"
 #include "v8.h"
 
+#include <climits>
 #include <string>
 
 namespace node {
@@ -124,6 +125,18 @@ enum class WebCryptoCipherStatus {
   FAILED
 };
 
+inline bool TryGetIntCipherOutputLength(size_t input_len,
+                                        size_t output_overhead,
+                                        int* output_len) {
+  static constexpr size_t kMaxLength = INT_MAX;
+  if (output_overhead > kMaxLength ||
+      input_len > kMaxLength - output_overhead) {
+    return false;
+  }
+  *output_len = static_cast<int>(input_len + output_overhead);
+  return true;
+}
+
 // CipherJob is a base implementation class for implementations of
 // one-shot sync and async ciphers. It has been added primarily to
 // support the AES and RSA ciphers underlying the WebCrypt API.

test/cctest/test_node_crypto.cc

@@ -2,10 +2,13 @@
 // and setting it to a file that does not exist.
 #define NODE_OPENSSL_SYSTEM_CERT_PATH "/missing/ca.pem"
 
+#include "crypto/crypto_cipher.h"
 #include "crypto/crypto_context.h"
+#include "gtest/gtest.h"
 #include "node_options.h"
 #include "openssl/err.h"
-#include "gtest/gtest.h"
+
+#include <climits>
 
 /*
  * This test verifies that a call to NewRootCertDir with the build time
@@ -48,3 +51,17 @@ TEST(NodeCrypto, MemoryTrackingConstants) {
   EXPECT_EQ(node::crypto::kSizeOf_X509, static_cast<size_t>(128));
   EXPECT_EQ(node::crypto::kSizeOf_EVP_MD_CTX, static_cast<size_t>(48));
 }
+
+TEST(NodeCrypto, TryGetIntCipherOutputLength) {
+  int output_len = 0;
+
+  EXPECT_TRUE(
+      node::crypto::TryGetIntCipherOutputLength(INT_MAX - 16, 16, &output_len));
+  EXPECT_EQ(output_len, INT_MAX);
+
+  EXPECT_FALSE(
+      node::crypto::TryGetIntCipherOutputLength(INT_MAX - 15, 16, &output_len));
+
+  EXPECT_FALSE(node::crypto::TryGetIntCipherOutputLength(
+      0, static_cast<size_t>(INT_MAX) + 1, &output_len));
+}