From b9ad485ab49e566d04e7abeb7d528c479fa25c7e Mon Sep 17 00:00:00 2001
From: Joe Drew <joe@drew.ca>
Date: Fri, 10 Aug 2012 12:13:09 -0400
Subject: [PATCH] Bug 773097 - Don't create our surface from GetCanvasLayer.
 It's called while painting, and doing so will destroy the layer manager that
 we're painting with. r=roc,mattwoodrow

Canvases use the "persistent" layer manager, which is only used after 5
seconds has elapsed on Windows. So if we start up to a site that uses canvas,
we risk switching to the persistent layer manager while drawing using the
temporary layer manager. Because layer managers are singletons, they're not
refcounted, and so we end up holding a dead pointer and corrupting the heap.
---
 content/canvas/src/nsCanvasRenderingContext2D.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/content/canvas/src/nsCanvasRenderingContext2D.cpp b/content/canvas/src/nsCanvasRenderingContext2D.cpp
index a28bbeed440c..fc925465e05b 100644
--- a/content/canvas/src/nsCanvasRenderingContext2D.cpp
+++ b/content/canvas/src/nsCanvasRenderingContext2D.cpp
@@ -4316,8 +4316,11 @@ nsCanvasRenderingContext2D::GetCanvasLayer(nsDisplayListBuilder* aBuilder,
                                            CanvasLayer *aOldLayer,
                                            LayerManager *aManager)
 {
-    if (!EnsureSurface()) 
+    // If we don't have anything to draw, don't bother.
+    if (!mValid || !mSurface || mSurface->CairoStatus() || !mThebes ||
+        !mSurfaceCreated) {
         return nullptr;
+    }
 
     if (!mResetLayer && aOldLayer) {
         CanvasRenderingContext2DUserData* userData =