net/mail: fix quadratic complexity in consumeComment

[mohammadmseet-hue]

consumeComment builds the comment string by repeated string
concatenation inside a loop. Each concatenation copies the
entire string built so far, making the function O(n^2) in the
depth of nested comments.

Replace the concatenation with a strings.Builder, which
amortizes allocation by doubling its internal buffer. This
reduces consumeComment from O(n^2) to O(n).

This is the same bug class as the consumeDomainLiteral fix
in CVE-2025-61725.

Benchmark results (benchstat, 8 runs):

name old time/op new time/op delta
ConsumeComment/depth10 2.481us 1.838us -25.92%
ConsumeComment/depth100 86.58us 6.498us -92.50%
ConsumeComment/depth1000 7.963ms 52.82us -99.34%
ConsumeComment/depth10000 897.8ms 521.3us -99.94%

The quadratic cost becomes visible at depth 100 and dominant
by depth 1000. At depth 10000, the fix is roughly 1700x
faster.

[gopherbot]

This PR (HEAD: dab3c52) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/759940.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Sean Liao:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Mohammad Seet:

Patch Set 1:

(2 comments)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 7742dad) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/759940.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

Done. Removed duplicated title from body and ensured clean formatting.

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Sean Liao:

Patch Set 3: Auto-Submit+1 Code-Review+2 Commit-Queue+1

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3:

Dry run: CV is trying the patch.

Bot data: {"action":"start","triggered_at":"2026-04-06T11:13:37Z","revision":"3cbd06d00250569e976d8593ae85318dd963f384"}

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Sean Liao:

Patch Set 3: -Commit-Queue

(Performed by <GERRIT_ACCOUNT_60063> on behalf of <GERRIT_ACCOUNT_34788>)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3:

This CL has passed the run

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from Go LUCI:

Patch Set 3: LUCI-TryBot-Result+1

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

Message from David Chase:

Patch Set 3: Code-Review+2

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/759940.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR is being closed because golang.org/cl/759940 has been merged.