Commit a3f2f8680 for imagemagick.org

commit a3f2f8680fa01cbce731191789322419efb5954a
Author: Dirk Lemstra <dirk@lemstra.org>
Date:   Sat Feb 28 11:31:15 2026 +0100

    Added checks to avoid possible stack corruption (GHSA-932h-jw47-73jm)

diff --git a/MagickCore/morphology.c b/MagickCore/morphology.c
index 81bd22654..727ac1001 100644
--- a/MagickCore/morphology.c
+++ b/MagickCore/morphology.c
@@ -234,6 +234,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
   GeometryInfo
     args;

+  size_t
+    length;
+
   kernel=(KernelInfo *) AcquireMagickMemory(sizeof(*kernel));
   if (kernel == (KernelInfo *) NULL)
     return(kernel);
@@ -261,8 +264,9 @@ static KernelInfo *ParseKernelArray(const char *kernel_string)
   if ( p != (char *) NULL && p < end)
     {
       /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-      (void) memcpy(token, kernel_string, (size_t) (p-kernel_string));
-      token[p-kernel_string] = '\0';
+      length=MagickMin((size_t) (p-kernel_string),sizeof(token)-1);
+      (void) memcpy(token, kernel_string, length);
+      token[length] = '\0';
       SetGeometryInfo(&args);
       flags = ParseGeometry(token, &args);

@@ -388,6 +392,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
   MagickStatusType
     flags;

+  size_t
+    length;
+
   ssize_t
     type;

@@ -406,8 +413,9 @@ static KernelInfo *ParseKernelName(const char *kernel_string,
     end = strchr(p, '\0');

   /* ParseGeometry() needs the geometry separated! -- Arrgghh */
-  (void) memcpy(token, p, (size_t) (end-p));
-  token[end-p] = '\0';
+  length=MagickMin((size_t) (end-p),sizeof(token)-1);
+  (void) memcpy(token, p, length);
+  token[length] = '\0';
   SetGeometryInfo(&args);
   flags = ParseGeometry(token, &args);