From a3f2f8680fa01cbce731191789322419efb5954a Mon Sep 17 00:00:00 2001
From: Dirk Lemstra <dirk@lemstra.org>
Date: Sat, 28 Feb 2026 11:31:15 +0100
Subject: [PATCH] Added checks to avoid possible stack corruption
 (GHSA-932h-jw47-73jm)

---
 MagickCore/morphology.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

Index: ImageMagick-7.1.0-9/MagickCore/morphology.c
===================================================================
--- ImageMagick-7.1.0-9.orig/MagickCore/morphology.c
+++ ImageMagick-7.1.0-9/MagickCore/morphology.c
@@ -235,6 +235,9 @@ static KernelInfo *ParseKernelArray(cons
   GeometryInfo
     args;
 
+  size_t
+    length;
+
   kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel));
   if (kernel == (KernelInfo *) NULL)
     return(kernel);
@@ -262,8 +265,9 @@ static KernelInfo *ParseKernelArray(cons
   if ( p != (char *) NULL && p < end)
     {
       /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-      memcpy(token, kernel_string, (size_t) (p-kernel_string));
-      token[p-kernel_string] = '\0';
+      length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1);
+      memcpy(token, kernel_string, length);
+      token[length] = '\0';
       SetGeometryInfo(&args);
       flags = ParseGeometry(token, &args);
 
@@ -389,6 +393,9 @@ static KernelInfo *ParseKernelName(const
   MagickStatusType
     flags;
 
+  size_t
+    length;
+
   ssize_t
     type;
 
@@ -407,8 +414,9 @@ static KernelInfo *ParseKernelName(const
     end = strchr(p, '\0');
 
   /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-  memcpy(token, p, (size_t) (end-p));
-  token[end-p] = '\0';
+  length=MagickMin((size_t) (end-p),sizeof(token)-1);
+  memcpy(token, p, length);
+  token[length] = '\0';
   SetGeometryInfo(&args);
   flags = ParseGeometry(token, &args);