[go/release-branch.go1.25] [release-branch.go1.25] net/mail: fix quadratic complexity in consumeComment

[Michael Pratt (Gerrit)]

Michael Pratt submitted the change

Change information

Commit message:

[release-branch.go1.25] net/mail: fix quadratic complexity in consumeComment

consumeComment builds the comment string by repeated string
concatenation inside a loop. Each concatenation copies the
entire string built so far, making the function O(n^2) in the
depth of nested comments.

Replace the concatenation with a strings.Builder, which
amortizes allocation by doubling its internal buffer. This
reduces consumeComment from O(n^2) to O(n).

This is the same bug class as the consumeDomainLiteral fix
in CVE-2025-61725.

Benchmark results (benchstat, 8 runs):

  name                        old time/op  new time/op  delta
  ConsumeComment/depth10      2.481us      1.838us      -25.92%
  ConsumeComment/depth100     86.58us      6.498us      -92.50%
  ConsumeComment/depth1000    7.963ms      52.82us      -99.34%
  ConsumeComment/depth10000   897.8ms      521.3us      -99.94%

The quadratic cost becomes visible at depth 100 and dominant
by depth 1000. At depth 10000, the fix is roughly 1700x
faster.

For #78566
Fixes #78567

Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34
GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2
GitHub-Pull-Request: golang/go#78393
Reviewed-on: https://go-review.googlesource.com/c/go/+/759940
Reviewed-by: Sean Liao <se...@liao.dev>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Sean Liao <se...@liao.dev>
Reviewed-by: David Chase <drc...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
(cherry picked from commit 0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7)
Reviewed-on: https://go-review.googlesource.com/c/go/+/763558
Reviewed-by: Michael Pratt <mpr...@google.com>
LUCI-TryBot-Result: golang...@luci-project-accounts.iam.gserviceaccount.com <golang...@luci-project-accounts.iam.gserviceaccount.com>

Files:

• M src/net/mail/message.go
• M src/net/mail/message_test.go

Change size: S

Delta: 2 files changed, 22 insertions(+), 3 deletions(-)

Branch: refs/heads/release-branch.go1.25

Submit Requirements:

• Code-Review: +2 by Michael Pratt
• TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: merged

Gerrit-Project: go

Gerrit-Branch: release-branch.go1.25

Gerrit-Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34

Gerrit-Change-Number: 763558

Gerrit-PatchSet: 3

Gerrit-Owner: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Damien Neil <dn...@google.com>

Gerrit-Reviewer: Michael Pratt <mpr...@google.com>

Gerrit-Reviewer: golang...@luci-project-accounts.iam.gserviceaccount.com <golang...@luci-project-accounts.iam.gserviceaccount.com>

Gerrit-CC: Mohammad Seet <mohamm...@gmail.com>

[Michael Pratt (Gerrit)]

Michael Pratt submitted the change

Change information

Commit message:

[release-branch.go1.26] net/mail: fix quadratic complexity in consumeComment

consumeComment builds the comment string by repeated string
concatenation inside a loop. Each concatenation copies the
entire string built so far, making the function O(n^2) in the
depth of nested comments.

Replace the concatenation with a strings.Builder, which
amortizes allocation by doubling its internal buffer. This
reduces consumeComment from O(n^2) to O(n).

This is the same bug class as the consumeDomainLiteral fix
in CVE-2025-61725.

Benchmark results (benchstat, 8 runs):

  name                        old time/op  new time/op  delta
  ConsumeComment/depth10      2.481us      1.838us      -25.92%
  ConsumeComment/depth100     86.58us      6.498us      -92.50%
  ConsumeComment/depth1000    7.963ms      52.82us      -99.34%
  ConsumeComment/depth10000   897.8ms      521.3us      -99.94%

The quadratic cost becomes visible at depth 100 and dominant
by depth 1000. At depth 10000, the fix is roughly 1700x
faster.

For #78566

Fixes #78568

Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34
GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2
GitHub-Pull-Request: golang/go#78393
Reviewed-on: https://go-review.googlesource.com/c/go/+/759940
Reviewed-by: Sean Liao <se...@liao.dev>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Sean Liao <se...@liao.dev>
Reviewed-by: David Chase <drc...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
(cherry picked from commit 0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7)

Reviewed-on: https://go-review.googlesource.com/c/go/+/763800
LUCI-TryBot-Result: golang...@luci-project-accounts.iam.gserviceaccount.com <golang...@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Pratt <mpr...@google.com>

Files:

• M src/net/mail/message.go
• M src/net/mail/message_test.go

Change size: S

Delta: 2 files changed, 22 insertions(+), 3 deletions(-)

Branch: refs/heads/release-branch.go1.26

Submit Requirements:

• Code-Review: +2 by Michael Pratt
• TryBots-Pass: LUCI-TryBot-Result+1 by golang...@luci-project-accounts.iam.gserviceaccount.com

Open in Gerrit

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

Gerrit-MessageType: merged

Gerrit-Project: go

Gerrit-Branch: release-branch.go1.26

Gerrit-Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34

Gerrit-Change-Number: 763800