UPDATE: I uploaded sources & exploit for the WCTF version of the challenge to https://github.com/niklasb/elgoog/
There were (at least) two bugs:
Pool overflow when compressing an index, if a posting list has duplicate entries. In elgoog1, this overflow was unbounded, but in elgoog2, it was only a one-byte overflow.
Type confusion between compressed and uncompressed index in
elgoog_compress_index(). It didn't check the flag. This was unintended and exploited by shiki7 from Tea Deliverers to solve both challenges (it is harder in elgoog2 though due to low integrity).
Will release my exploit for the first bug soon, once I cleaned it up a bit.