From e0cf4d97d7ffccdca8429f9d121195c2c5bb5dd1 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 4 Nov 2025 14:15:22 +1100
Subject: [PATCH] named signatures: fix crash when slurping and tainting

Only try to dereference a parameter pointer after we ensure it is
valid.

CID 638315
---
 pp.c              |  6 +++---
 t/op/signatures.t | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/pp.c b/pp.c
index 1651de4c3b0c..bcfa2744e44b 100644
--- a/pp.c
+++ b/pp.c
@@ -8021,13 +8021,13 @@ PP(pp_multiparam)
                 SV **padentry = &PAD_SVl(padix);
                 save_clearsv(padentry);
 
+                if(!val)
+                    val = &PL_sv_undef;
+
                 assert(TAINTING_get || !TAINT_get);
                 if (UNLIKELY(TAINT_get) && !SvTAINTED(val))
                     TAINT_NOT;
 
-                if(!val)
-                    val = &PL_sv_undef;
-
                 SvPADSTALE_off(*padentry);
                 SvSetMagicSV(*padentry, val);
             }
diff --git a/t/op/signatures.t b/t/op/signatures.t
index c4c0fd2f1b84..7c962bf56a4e 100644
--- a/t/op/signatures.t
+++ b/t/op/signatures.t
@@ -1589,6 +1589,25 @@ EOPERL
         'thread cloning during signature parse does not crash');
 }
 
+SKIP:
+{
+    skip "No taint support", 1
+      if exists $Config{taint_support} && !$Config{taint_support};
+    # https://github.com/Perl/perl5/pull/23871#discussion_r2488103875
+    $ENV{BAD} = "x";
+    fresh_perl_is(<<'CODE', "ok\n",
+no warnings "experimental::signature_named_parameters";
+use feature "signatures";
+sub foo (:$x, @y) {
+    print "ok\n";
+}
+foo("$ENV{BAD}");
+CODE
+                  {
+                   switches => [ "-t" ],
+                  }, "crash in named parameter handling");
+}
+
 done_testing;
 
 1;