From 28fac4ec2e616f82456335cd690d9f0c7153d7d4 Mon Sep 17 00:00:00 2001
From: helloJetBase-tech <178346048+marktech0813@users.noreply.github.com>
Date: Wed, 12 Nov 2025 07:44:18 +0200
Subject: [PATCH] =?UTF-8?q?:art:=20#3756=20=E3=80=90=E4=BC=81=E4=B8=9A?=
 =?UTF-8?q?=E5=BE=AE=E4=BF=A1=E3=80=91=E4=BF=AE=E5=A4=8D=E4=BC=81=E4=B8=9A?=
 =?UTF-8?q?=E5=BE=AE=E4=BF=A1=20API=20=E5=9B=9E=E8=B0=83=E9=AA=8C=E7=AD=BE?=
 =?UTF-8?q?=E8=BF=87=E7=A8=8B=E4=B8=AD=20WxCryptUtil.decrypt=20=E6=96=B9?=
 =?UTF-8?q?=E6=B3=95=E5=8F=AF=E8=83=BD=E6=8A=9B=E5=87=BA=E5=BC=82=E5=B8=B8?=
 =?UTF-8?q?=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../common/util/crypto/WxCryptUtil.java       | 20 ++++++++++++++++---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
index 4039580cf..0b0590b1e 100755
--- a/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
+++ b/weixin-java-common/src/main/java/me/chanjar/weixin/common/util/crypto/WxCryptUtil.java
@@ -333,14 +333,28 @@ public class WxCryptUtil {
       byte[] bytes = PKCS7Encoder.decode(original);
 
       // 分离16位随机字符串,网络字节序和AppId
+      if (bytes == null || bytes.length < 20) {
+        throw new WxRuntimeException("解密后数据长度异常，可能为错误的密文或EncodingAESKey");
+      }
       byte[] networkOrder = Arrays.copyOfRange(bytes, 16, 20);
 
       int xmlLength = bytesNetworkOrder2Number(networkOrder);
 
-      xmlContent = new String(Arrays.copyOfRange(bytes, 20, 20 + xmlLength), CHARSET);
-      fromAppid = new String(Arrays.copyOfRange(bytes, 20 + xmlLength, bytes.length), CHARSET);
+      // 长度边界校验，避免非法长度导致的越界/参数异常
+      int startIndex = 20;
+      int endIndex = startIndex + xmlLength;
+      if (xmlLength < 0 || endIndex > bytes.length) {
+        throw new WxRuntimeException("解密后数据格式非法：消息长度不正确，可能为错误的密文或EncodingAESKey");
+      }
+
+      xmlContent = new String(Arrays.copyOfRange(bytes, startIndex, endIndex), CHARSET);
+      fromAppid = new String(Arrays.copyOfRange(bytes, endIndex, bytes.length), CHARSET);
     } catch (Exception e) {
-      throw new WxRuntimeException(e);
+      if (e instanceof WxRuntimeException) {
+        throw (WxRuntimeException) e;
+      } else {
+        throw new WxRuntimeException(e);
+      }
     }
 
     // appid不相同的情况 暂时忽略这段判断