From 5facfecf1abb3fed46a08f614dcc43d1e548e20d Mon Sep 17 00:00:00 2001
From: Cristy <urban-warrior@imagemagick.org>
Date: Thu, 9 Apr 2026 13:22:00 -0400
Subject: [PATCH] 
 https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-r83h-crwp-3vm7

---
 MagickCore/property.c | 29 ++++++++++++++++++++---------
 1 file changed, 20 insertions(+), 9 deletions(-)

diff --git a/MagickCore/property.c b/MagickCore/property.c
index 90046aded1..2c8a426fcf 100644
--- a/MagickCore/property.c
+++ b/MagickCore/property.c
@@ -1886,7 +1886,10 @@ static void GetXMPProperty(const Image *image,const char *property)
       while (description != (XMLTreeInfo *) NULL)
       {
         char
-          *xmp_namespace;
+          *property;
+
+        size_t
+          property_length;
 
         node=GetXMLTreeChild(description,(const char *) NULL);
         while (node != (XMLTreeInfo *) NULL)
@@ -1896,20 +1899,28 @@ static void GetXMPProperty(const Image *image,const char *property)
           if ((child == (XMLTreeInfo *) NULL) &&
               (SkipXMPValue(content) == MagickFalse))
             {
-              xmp_namespace=ConstantString(GetXMLTreeTag(node));
-              (void) SubstituteString(&xmp_namespace,"exif:","xmp:");
-              (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
-                xmp_namespace,ConstantString(content));
+              property=ConstantString(GetXMLTreeTag(node));
+              (void) SubstituteString(&property,"exif:","xmp:");
+              property_length=strlen(property);
+              if ((property_length <= 2) || (*(property+(property_length-2)) != ':') ||
+                  (*(property+(property_length-1)) != '*'))
+                (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
+                 ConstantString(property),ConstantString(content));
+              property=DestroyString(property);
             }
           while (child != (XMLTreeInfo *) NULL)
           {
             content=GetXMLTreeContent(child);
             if (SkipXMPValue(content) == MagickFalse)
               {
-                xmp_namespace=ConstantString(GetXMLTreeTag(node));
-                (void) SubstituteString(&xmp_namespace,"exif:","xmp:");
-                (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
-                  xmp_namespace,ConstantString(content));
+                property=ConstantString(GetXMLTreeTag(node));
+                (void) SubstituteString(&property,"exif:","xmp:");
+                property_length=strlen(property);
+                if ((property_length <= 2) || (*(property+(property_length-2)) != ':') ||
+                    (*(property+(property_length-1)) != '*'))
+                  (void) AddValueToSplayTree((SplayTreeInfo *) image->properties,
+                    ConstantString(property),ConstantString(content));
+                property=DestroyString(property);
               }
             child=GetXMLTreeSibling(child);
           }