crypto: fix handling of null BUF_MEM* in ToV8Value()

ndossche · web-flow · commit 488a854cf5fc · 2026-02-25T13:56:28.000Z
The assignment to `bptr` calls `BIO_get_mem_ptr` which can fail and leave the `bptr` as nullptr. This then later causes a null pointer deref. This is inconsistent with uses of the similar function `BIO_get_mem_data` that do check its return value, e.g. `node::crypto::X509sToArrayOfStrings()`. Solve it by checking for a null pointer and handling the `Nothing` return value at the call sites. PR-URL: #61885 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
@@ -86,8 +86,15 @@ MaybeLocal<Value> ToV8Value(
     Environment* env,
     const BIOPointer& bio,
     const EVPKeyPointer::AsymmetricKeyEncodingConfig& config) {
-  if (!bio) return {};
+  if (!bio) {
+    THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Invalid BIO pointer");
+    return {};
+  }
   BUF_MEM* bptr = bio;
+  if (!bptr) {
+    THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Unable to create BUF_MEM pointer");
+    return {};
+  }
   if (config.format == EVPKeyPointer::PKFormatType::PEM) {
     // PEM is an ASCII format, so we will return it as a string.
     return String::NewFromUtf8(
diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc
@@ -106,6 +106,8 @@ MaybeLocal<Value> ToV8Value(Local<Context> context, BIOPointer&& bio) {
   if (!bio) [[unlikely]]
     return {};
   BUF_MEM* mem = bio;
+  if (!mem) [[unlikely]]
+    return {};
   Local<Value> ret;
   if (!String::NewFromUtf8(Isolate::GetCurrent(),
                            mem->data,
@@ -120,6 +122,8 @@ MaybeLocal<Value> ToV8Value(Local<Context> context, const BIOPointer& bio) {
   if (!bio) [[unlikely]]
     return {};
   BUF_MEM* mem = bio;
+  if (!mem) [[unlikely]]
+    return {};
   Local<Value> ret;
   if (!String::NewFromUtf8(Isolate::GetCurrent(),
                            mem->data,
@@ -134,6 +138,8 @@ MaybeLocal<Value> ToBuffer(Environment* env, BIOPointer* bio) {
   if (bio == nullptr || !*bio) [[unlikely]]
     return {};
   BUF_MEM* mem = *bio;
+  if (!mem) [[unlikely]]
+    return {};
 #ifdef V8_ENABLE_SANDBOX
   // If the v8 sandbox is enabled, then all array buffers must be allocated
   // via the isolate. External buffers are not allowed. So, instead of wrapping
