PoC CVE-2021-30632 - Out of bounds write in V8
Tested against Samsung Internet Browser v188.8.131.52, which does not yet have Google's patch.
This bug is caused by the fact that global property "stores" for existing values with unstable maps are lacking a stability code dependency in the affected versions. It is exploitable because global property "loads" benefit from "CheckMaps" removal when a stability code dependency is in place for their value's map. The recipe for explotaition involves transitioning from an array of PACKED_SMI elements with a stable map to an array of PACKED_DOUBLE elements and have multiple JITted functions that deal with each kind of array. Type confusions between PACKED_SMI and PACKED_DOUBLE elements => Out of bounds R/W.