I guess I'm a dunce on this -- I don't understand the graphic at all.
A program makes a query over an SSL link. That query is answered securely by the server on the other side. On a properly-configured SSL tunnel, the responder would answer the query explicitly.
With heartbleed, a query could be issued and request the response to be a certain length. The response could be longer than the explicit data point in, say, a database, and the data that would be gained would be data the requester is not privy to.
In this case, a private key could be decoded by constantly requesting secure traffic respond with more information than what is found in the public key. Since the only data outside of the public key is the private key or a symmetric hash, they could eventually decode the entire private key, thus making a man-in-the-middle attack easy to pull off. The attack poses as a secure server, steals the data it wants, and the customer is none the wiser.