diff -ru dnsdist-1.9.12.orig/dnscrypt.cc dnsdist-1.9.12.CVE-2026-33593/dnscrypt.cc
--- dnsdist-1.9.12.orig/dnscrypt.cc	2026-03-13 16:09:16.000000000 +0100
+++ dnsdist-1.9.12.CVE-2026-33593/dnscrypt.cc	2026-04-07 11:18:31.427071241 +0200
@@ -627,6 +627,10 @@
   assert(d_header.clientNonce);
   assert(d_pair != nullptr);
 
+  if (unpaddedLen > maxLen) {
+    throw std::runtime_error("Trying to compute the padding size for an oversized content");
+  }
+
   unsigned char nonce[DNSCRYPT_NONCE_SIZE];
   memcpy(nonce, d_header.clientNonce, (DNSCRYPT_NONCE_SIZE / 2));
   memcpy(&(nonce[DNSCRYPT_NONCE_SIZE / 2]), d_header.clientNonce, (DNSCRYPT_NONCE_SIZE / 2));
@@ -677,6 +681,9 @@
 
   size_t requiredSize = sizeof(responseHeader) + DNSCRYPT_MAC_SIZE + response.size();
   size_t maxSize = std::min(maxResponseSize, requiredSize + DNSCRYPT_MAX_RESPONSE_PADDING_SIZE);
+  if (requiredSize > maxResponseSize) {
+    return ENOBUFS;
+  }
   uint16_t paddingSize = computePaddingSize(requiredSize, maxSize);
   requiredSize += paddingSize;