diff -ru dnsdist-2.0.3.orig/dnscrypt.cc dnsdist-2.0.3.CVE-2026-33593/dnscrypt.cc
--- dnsdist-2.0.3.orig/dnscrypt.cc	2026-03-12 16:00:00.000000000 +0100
+++ dnsdist-2.0.3.CVE-2026-33593/dnscrypt.cc	2026-04-07 11:18:00.990141993 +0200
@@ -633,6 +633,9 @@
   if (d_pair == nullptr) {
     throw std::runtime_error("Trying to compute the padding size from an invalid DNSCrypt query");
   }
+  if (unpaddedLen > maxLen) {
+    throw std::runtime_error("Trying to compute the padding size for an oversized content");
+  }
 
   DNSCryptNonceType nonce;
   memcpy(nonce.data(), d_header.clientNonce.data(), d_header.clientNonce.size());
@@ -690,6 +693,9 @@
 
   size_t requiredSize = sizeof(responseHeader) + DNSCRYPT_MAC_SIZE + response.size();
   size_t maxSize = std::min(maxResponseSize, requiredSize + DNSCRYPT_MAX_RESPONSE_PADDING_SIZE);
+  if (requiredSize > maxResponseSize) {
+    return ENOBUFS;
+  }
   uint16_t paddingSize = computePaddingSize(requiredSize, maxSize);
   requiredSize += paddingSize;