Turns out it was server-side bug. In
cjson_decode() function located in
server.c unpacking code contains following lines:
176 /* decompress buffer (excluding first 32 bits) */
177 comp_p = buf + 4;
178 if (uncompress(obj_unc, &dest_len, comp_p, buflen - 4) != Z_OK)
179 goto out;
180 if (dest_len != unc_len)
181 goto out;
182 memcpy(obj_unc + unc_len, &zero, 1); /* null terminate */
This call of
uncompress() isn't completely correct according to
zlib docs.
dest_len should contain actual size of buffer for uncompressed data before calling
uncompress(), but it's never initialized.
This should be corrected (e.g.
dest_len = unc_len + 1).