diff options
| author | mohammadmseet-hue <mohammadmseet@gmail.com> | 2026-04-04 05:17:25 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-04-06 12:18:23 -0700 |
| commit | 0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7 (patch) | |
| tree | 86b995e272704c15ee8c4d9f14f816b9f3b02b15 /src/runtime | |
| parent | ad7d6071ac1955e76e7407d8345cf18f354a1693 (diff) | |
| download | go-0d0799f055dcc9b3b41df74bee3fbe398ae2f0e7.tar.xz | |
net/mail: fix quadratic complexity in consumeComment
consumeComment builds the comment string by repeated string
concatenation inside a loop. Each concatenation copies the
entire string built so far, making the function O(n^2) in the
depth of nested comments.
Replace the concatenation with a strings.Builder, which
amortizes allocation by doubling its internal buffer. This
reduces consumeComment from O(n^2) to O(n).
This is the same bug class as the consumeDomainLiteral fix
in CVE-2025-61725.
Benchmark results (benchstat, 8 runs):
name old time/op new time/op delta
ConsumeComment/depth10 2.481us 1.838us -25.92%
ConsumeComment/depth100 86.58us 6.498us -92.50%
ConsumeComment/depth1000 7.963ms 52.82us -99.34%
ConsumeComment/depth10000 897.8ms 521.3us -99.94%
The quadratic cost becomes visible at depth 100 and dominant
by depth 1000. At depth 10000, the fix is roughly 1700x
faster.
Change-Id: I3c927f02646fcab7bab167cb82fd46d3327d6d34
GitHub-Last-Rev: 7742dad716ee371766543f88e82bd163bd9d7ac2
GitHub-Pull-Request: golang/go#78393
Reviewed-on: https://go-review.googlesource.com/c/go/+/759940
Reviewed-by: Sean Liao <sean@liao.dev>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Sean Liao <sean@liao.dev>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Diffstat (limited to 'src/runtime')
0 files changed, 0 insertions, 0 deletions