In practical terms
Another site with the story has fuller details and includes pseudo-code of the bug
int MaxIdx = ArrayOfObjectsFromIE.Size()-1;
for (int i=0; i <= MaxIdx; i++) {
if (!ArrayOfObjectsFromIE[i])
continue;
ArrayOfObjectsFromIE[i]->TransferFromSource();
...
}
http://mobile.securityratty.com/article/622c51159caa8b94b23fe6e180f94f78
Basically, if I understand it correctly, other threads could update the array being used in the loop so that MaxIdx wasn't necessarily valid for the duration of the loop. For all the throwing of acronyms around it still comes down to the programmer(s) not fully understanding the environment they are coding in.