From e7d1606bff64be32d07aae4b28f6b4f28a429c21 Mon Sep 17 00:00:00 2001
From: Your Name <you@example.com>
Date: Wed, 25 Feb 2026 11:30:42 +0000
Subject: [PATCH] Fix integer overflow in _sdsMakeRoomFor (CVE-2021-41099)

---
 texk/web2c/mfluadir/otfcc/dep/extern/sds.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/texk/web2c/mfluadir/otfcc/dep/extern/sds.c b/texk/web2c/mfluadir/otfcc/dep/extern/sds.c
index fbb90ebbf1..d1b633d9e0 100644
--- a/texk/web2c/mfluadir/otfcc/dep/extern/sds.c
+++ b/texk/web2c/mfluadir/otfcc/dep/extern/sds.c
@@ -193,7 +193,7 @@ void sdsclear(sds s) {
 sds sdsMakeRoomFor(sds s, size_t addlen) {
     void *sh, *newsh;
     size_t avail = sdsavail(s);
-    size_t len, newlen;
+    size_t len, newlen, reqlen;
     char type, oldtype = s[-1] & SDS_TYPE_MASK;
     int hdrlen;
 
@@ -202,7 +202,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
 
     len = sdslen(s);
     sh = (char*)s-sdsHdrSize(oldtype);
-    newlen = (len+addlen);
+    reqlen = newlen = (len+addlen);
     if (newlen < SDS_MAX_PREALLOC)
         newlen *= 2;
     else
@@ -216,6 +216,7 @@ sds sdsMakeRoomFor(sds s, size_t addlen) {
     if (type == SDS_TYPE_5) type = SDS_TYPE_8;
 
     hdrlen = sdsHdrSize(type);
+    assert(hdrlen + newlen + 1 > reqlen);  /* Catch size_t overflow */
     if (oldtype==type) {
         newsh = s_realloc(sh, hdrlen+newlen+1);
         if (newsh == NULL) return NULL;