Trapping largish signal causes AddressSanitizer wild pointer error in Docker

[Oliver Kiddle <opk@xxxxxxx>]

This is another isue reported to -security by Nathan Mills. And again
I don't consider it to be a security issue if you can crash zsh from
the normal input to the shell as you already have shell access if you
control that input.

For a command like trap 3535, zsh checks an array of signals without
first doing a range check on the signal number.

Oliver

diff --git a/Src/builtin.c b/Src/builtin.c
index 5563bdba9..acdd34c1e 100644
--- a/Src/builtin.c
+++ b/Src/builtin.c
@@ -7432,6 +7432,14 @@ bin_trap(char *name, char **argv, UNUSED(Options ops), UNUSED(int func))
 	return 1;
     }
 
+    if (!*argv) {
+	if (idigit(*arg) || !strncmp(arg, "SIG", 3))
+	    zwarnnam(name, "undefined signal: %s", arg);
+	else
+	    zwarnnam(name, "signal expected");
+	return 1;
+    }
+
     /* set traps */
     for (; *argv; argv++) {
 	Eprog t;
diff --git a/Src/jobs.c b/Src/jobs.c
index 2d0465a22..2921fe5bf 100644
--- a/Src/jobs.c
+++ b/Src/jobs.c
@@ -3056,7 +3056,11 @@ getsigidx(const char *s)
 
     /* check for a signal specified by number */
     x = atoi(s);
-    if (idigit(*s) && x >= 0)
+    if (idigit(*s) && x >= 0 && (x < VSIGCOUNT
+#if defined(SIGRTMIN) && defined(SIGRTMAX)
+	|| (x >= SIGRTMIN && x <= SIGRTMAX)
+#endif
+	))
 	return SIGIDX(x);
 
     /* search for signal by name */