named signatures: fix crash when slurping and tainting

tonycoz · tonycoz · commit d98b252957ef · 2025-11-06T09:10:58.000+11:00
Only try to dereference a parameter pointer after we ensure it is
valid.

CID 638315
diff --git a/pp.c b/pp.c
@@ -8021,13 +8021,13 @@ PP(pp_multiparam)
                 SV **padentry = &PAD_SVl(padix);
                 save_clearsv(padentry);
 
+                if(!val)
+                    val = &PL_sv_undef;
+
                 assert(TAINTING_get || !TAINT_get);
                 if (UNLIKELY(TAINT_get) && !SvTAINTED(val))
                     TAINT_NOT;
 
-                if(!val)
-                    val = &PL_sv_undef;
-
                 SvPADSTALE_off(*padentry);
                 SvSetMagicSV(*padentry, val);
             }
diff --git a/t/op/signatures.t b/t/op/signatures.t
@@ -1589,6 +1589,25 @@ EOPERL
         'thread cloning during signature parse does not crash');
 }
 
+SKIP:
+{
+    skip "No taint support", 1
+      if exists $Config{taint_support} && !$Config{taint_support};
+    # https://github.com/Perl/perl5/pull/23871#discussion_r2488103875
+    $ENV{BAD} = "x";
+    fresh_perl_is(<<'CODE', "ok\n",
+no warnings "experimental::signature_named_parameters";
+use feature "signatures";
+sub foo (:$x, @y) {
+    print "ok\n";
+}
+foo("$ENV{BAD}");
+CODE
+                  {
+                   switches => [ "-t" ],
+                  }, "crash in named parameter handling");
+}
+
 done_testing;
 
 1;
