I don't have any POC using this as an exploit but in theory, it wouldn't be that hard to construct after escaping the content process sandbox. What one could do with this, I'm not sure, but I'm looking at using the same infrastructure with WebGL to avoid copies into the content process and back into the compositor process when using GPUVideoImage for CPU memory backed textures. This is showing up in profiles with WebCodecs. In theory this will also be useful for DrawTargetWebgl / accelerated canvas (and D2D canvas if necessary/desired).
Bug 1854669 Comment 1 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I don't have any POC using this as an exploit but in theory, it wouldn't be that hard to construct after escaping the content process sandbox. What one could do with this, I'm not sure, but I'm looking at using the same infrastructure with WebGL to avoid copies into the content process and back into the compositor process when using GPUVideoImage for CPU memory backed textures. This is showing up in profiles with WebCodecs. In theory this will also be useful for DrawTargetWebgl / accelerated canvas (and D2D canvas if necessary/desired). Expanding the attack surface without fixing this is probably not good.