From a3f2f8680fa01cbce731191789322419efb5954a Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sat, 28 Feb 2026 11:31:15 +0100
Subject: [PATCH] Added checks to avoid possible stack corruption
 (GHSA-932h-jw47-73jm)

---
 MagickCore/morphology.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c
index 81bd2265438..727ac100180 100644
--- a/MagickCore/morphology.c
+++ b/MagickCore/morphology.c
@@ -234,6 +234,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
   GeometryInfo
     args;
 
+  size_t
+    length;
+
   kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel));
   if (kernel == (KernelInfo *) NULL)
     return(kernel);
@@ -261,8 +264,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
   if ( p != (char *) NULL && p < end)
     {
       /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-      (void) memcpy(token, kernel_string, (size_t) (p-kernel_string));
-      token[p-kernel_string] = '\0';
+      length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1);
+      (void) memcpy(token, kernel_string, length);
+      token[length] = '\0';
       SetGeometryInfo(&args);
       flags = ParseGeometry(token, &args);
 
@@ -388,6 +392,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
   MagickStatusType
     flags;
 
+  size_t
+    length;
+
   ssize_t
     type;
 
@@ -406,8 +413,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
     end = strchr(p, '\0');
 
   /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-  (void) memcpy(token, p, (size_t) (end-p));
-  token[end-p] = '\0';
+  length=MagickMin((size_t) (end-p),sizeof(token)-1);
+  (void) memcpy(token, p, length);
+  token[length] = '\0';
   SetGeometryInfo(&args);
   flags = ParseGeometry(token, &args);