From f6cd30e0493635eb0b8a4e3dd93c1ac14a35a7e9 Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sat, 28 Feb 2026 11:31:22 +0100
Subject: [PATCH] Added checks to avoid possible stack corruption
 (https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-932h-jw47-73jm)

---
 magick/morphology.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

Index: ImageMagick-6.8.8-1/magick/morphology.c
===================================================================
--- ImageMagick-6.8.8-1.orig/magick/morphology.c
+++ ImageMagick-6.8.8-1/magick/morphology.c
@@ -242,6 +242,9 @@ static KernelInfo *ParseKernelArray(cons
   GeometryInfo
     args;
 
+  size_t
+    length;
+
   kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel));
   if (kernel == (KernelInfo *)NULL)
     return(kernel);
@@ -269,8 +272,9 @@ static KernelInfo *ParseKernelArray(cons
   if ( p != (char *) NULL && p < end)
     {
       /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-      memcpy(token, kernel_string, (size_t) (p-kernel_string));
-      token[p-kernel_string] = '\0';
+      length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1);
+      memcpy(token, kernel_string, length);
+      token[length] = '\0';
       SetGeometryInfo(&args);
       flags = ParseGeometry(token, &args);
 
@@ -395,6 +399,9 @@ static KernelInfo *ParseKernelName(const
   MagickStatusType
     flags;
 
+  size_t
+    length;
+
   ssize_t
     type;
 
@@ -413,8 +420,9 @@ static KernelInfo *ParseKernelName(const
     end = strchr(p, '\0');
 
   /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-  memcpy(token, p, (size_t) (end-p));
-  token[end-p] = '\0';
+  length=MagickMin((size_t) (end-p),sizeof(token)-1);
+  memcpy(token, p, length);
+  token[length] = '\0';
   SetGeometryInfo(&args);
   flags = ParseGeometry(token, &args);