On 4. Nov 2020, at 13.24, Renaud Métrich <rmetrich@redhat.com> wrote:
I would like to report an issue which is 100% reproducible with a specific mail available in the reproducer attached to Red Hat's bugzilla (https://bugzilla.redhat.com/attachment.cgi?id=1726535):
When performing a "FETCH <ID> (BINARY.SIZE[1]
      BINARY.PEEK[1])" operation, imap crashes with following backtrace:
Thanks, this should fix it:

diff --git a/src/lib-storage/index/index-mail-binary.c b/src/lib-storage/index/index-mail-binary.c
index 2577f1afe5..f7bf984916 100644
--- a/src/lib-storage/index/index-mail-binary.c
+++ b/src/lib-storage/index/index-mail-binary.c
@@ -339,7 +339,7 @@ blocks_count_lines(struct binary_ctx *ctx, struct istream *full_input)
i_stream_skip(full_input, skip);
cur_block_offset += skip;

- if (cur_block->input->eof) {
+ if (i_stream_read_eof(cur_block->input)) {
/* go to the next block */
if (++block_idx == block_count) {
i_assert(i_stream_read_eof(full_input));

diff --git a/src/lib-storage/index/index-mail-binary.c b/src/lib-storage/index/index-mail-binary.c

index 2577f1afe5..80c319e050 100644

--- a/src/lib-storage/index/index-mail-binary.c

+++ b/src/lib-storage/index/index-mail-binary.c

@@ -339,13 +339,14 @@ blocks_count_lines(struct binary_ctx *ctx, struct istream *full_input)

i_stream_skip(full_input, skip);

cur_block_offset += skip;

- if (cur_block->input->eof) {

+ if (i_stream_read_eof(cur_block->input)) {

/* go to the next block */

- if (++block_idx == block_count) {

+ if (block_idx+1 == block_count) {

i_assert(i_stream_read_eof(full_input));

ret = -1;

break;

}

+ block_idx++;

cur_block++;

cur_block_offset = 0;

}