Due to a bug within the argument parser of the partial
command an argument like "body[p" will be wrongly detected as
"body.peek". Because of this the bufferposition gets increased
by 10 instead of 5 and could therefore point outside the
allocated memory buffer for the rest of the parsing
process. In imapd versions prior to 2.2.7 the handling of
"body" or "bodypeek" arguments was broken so that the
terminating ']' got overwritten by a '\0'. Combined the two
problems allow a potential attacker to overwrite a single byte
of malloc() control structures, which leads to remote code
execution if the attacker successfully controls the heap
layout.