From 505989c0e701b105bb67b8b4c55681b0328171fe Mon Sep 17 00:00:00 2001
From: Benjamin Peterson <benjamin@python.org>
Date: Mon, 15 Aug 2016 21:40:14 -0700
Subject: [PATCH] fail when negative values are passed to instr()

---
 Lib/test/test_curses.py | 2 ++
 Misc/NEWS               | 4 ++--
 Modules/_cursesmodule.c | 8 ++++++++
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/Lib/test/test_curses.py b/Lib/test/test_curses.py
index ce5f2a5e833b..bdb71e5e17ae 100644
--- a/Lib/test/test_curses.py
+++ b/Lib/test/test_curses.py
@@ -187,6 +187,8 @@ class TestCurses(unittest.TestCase):
 
         self.assertRaises(ValueError, stdscr.getstr, -400)
         self.assertRaises(ValueError, stdscr.getstr, 2, 3, -400)
+        self.assertRaises(ValueError, stdscr.instr, -2)
+        self.assertRaises(ValueError, stdscr.instr, 2, 3, -2)
 
 
     def test_module_funcs(self):
diff --git a/Misc/NEWS b/Misc/NEWS
index b9d473499d36..417da1397323 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -31,8 +31,8 @@ Library
 
 - Issue #27760: Fix possible integer overflow in binascii.b2a_qp.
 
-- In the curses module, raise an error if window.getstr() is passed a negative
-  value.
+- In the curses module, raise an error if window.getstr() or window.instr() is
+  passed a negative value.
 
 - Issue #27758: Fix possible integer overflow in the _csv module for large record
   lengths.
diff --git a/Modules/_cursesmodule.c b/Modules/_cursesmodule.c
index d0d747986dc7..e478a5794829 100644
--- a/Modules/_cursesmodule.c
+++ b/Modules/_cursesmodule.c
@@ -1095,6 +1095,10 @@ PyCursesWindow_InStr(PyCursesWindowObject *self, PyObject *args)
     case 1:
         if (!PyArg_ParseTuple(args,"i;n", &n))
             return NULL;
+        if (n < 0) {
+            PyErr_SetString(PyExc_ValueError, "'n' must be nonnegative");
+            return NULL;
+        }
         rtn2 = winnstr(self->win,rtn,MIN(n,1023));
         break;
     case 2:
@@ -1105,6 +1109,10 @@ PyCursesWindow_InStr(PyCursesWindowObject *self, PyObject *args)
     case 3:
         if (!PyArg_ParseTuple(args, "iii;y,x,n", &y, &x, &n))
             return NULL;
+        if (n < 0) {
+            PyErr_SetString(PyExc_ValueError, "'n' must be nonnegative");
+            return NULL;
+        }
         rtn2 = mvwinnstr(self->win, y, x, rtn, MIN(n,1023));
         break;
     default:
-- 
2.47.3