crypto: fix aes crash when tag length too small

lib/internal/crypto/aes.js

@@ -45,6 +45,8 @@ const {
   kKeyObject,
 } = require('internal/crypto/util');
 
+const { PromiseReject } = primordials;
+
 const {
   codes: {
     ERR_INVALID_ARG_TYPE,
@@ -167,9 +169,9 @@ function asyncAesGcmCipher(
   data,
   { iv, additionalData, tagLength = 128 }) {
   if (!ArrayPrototypeIncludes(kTagLengths, tagLength)) {
-    throw lazyDOMException(
+    return PromiseReject(lazyDOMException(
       `${tagLength} is not a valid AES-GCM tag length`,
-      'OperationError');
+      'OperationError'));
   }
 
   iv = getArrayBufferOrView(iv, 'algorithm.iv');
@@ -188,6 +190,17 @@ function asyncAesGcmCipher(
       const slice = ArrayBufferIsView(data) ?
         TypedArrayPrototypeSlice : ArrayBufferPrototypeSlice;
       tag = slice(data, -tagByteLength);
+
+      // Refs: https://www.w3.org/TR/WebCryptoAPI/#aes-gcm-operations
+      //
+      // > If *plaintext* has a length less than *tagLength* bits, then `throw`
+      // > an `OperationError`.
+      if (tagByteLength > tag.byteLength) {
+        return PromiseReject(lazyDOMException(
+          'The provided data is too small.',
+          'OperationError'));
+      }
+
       data = slice(data, 0, -tagByteLength);
       break;
     case kWebCryptoCipherEncrypt:

test/parallel/test-crypto-webcrypto-aes-decrypt-tag-too-small.js

@@ -0,0 +1,29 @@
+'use strict';
+
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const crypto = require('crypto').webcrypto;
+
+crypto.subtle.importKey(
+  'raw',
+  new Uint8Array(32),
+  {
+    name: 'AES-GCM'
+  },
+  false,
+  [ 'encrypt', 'decrypt' ])
+  .then((k) => {
+    assert.rejects(() => {
+      return crypto.subtle.decrypt({
+        name: 'AES-GCM',
+        iv: new Uint8Array(12),
+      }, k, new Uint8Array(0));
+    }, {
+      name: 'OperationError',
+      message: /The provided data is too small/,
+    });
+  });