It is my understanding that this type of exploit would typically cause a server to crash (modern operating systems won't allow random memory access in this way), however in this case OpenSSL uses a custom memory allocation method for performance reasons. Still, surprising that the overflow isn't checked for, it's one of the most common sources of vulnerability.
Yeah I'm very surprised by that too. An overflow would be exactly the sort of thing you'd need to be especially vigilant about in this kind of set-up. I'm also really surprised that request data and internal server data (the encryption keys) aren't completely separated and sand-boxed. I can understand the Heartbleed bug exposing passwords and private content sent in earlier requests, because it makes sense for all requests to share the same region of memory. But why the hell are they even close to the encryption keys themselves?