Unchecked RFC 2231 Content-Disposition filename growth can overflow in parser helpers

A header parser accumulates Content-Disposition filename* fragments by reallocating based on strlen(current)+fragment_len and then appending raw bytes. The code relies on token bounds from the header parser, but the growth path is still driven by attacker-controlled header contents and later passed into filename construction without a dedicated total-length cap.