named signatures: fix crash when slurping and tainting

Only try to dereference a parameter pointer after we ensure it is
valid.

CID 638315

Author: tonycoz

pp.c

@@ -8021,13 +8021,13 @@ PP(pp_multiparam)
                 SV **padentry = &PAD_SVl(padix);
                 save_clearsv(padentry);
 
+                if(!val)
+                    val = &PL_sv_undef;
+
                 assert(TAINTING_get || !TAINT_get);
                 if (UNLIKELY(TAINT_get) && !SvTAINTED(val))
                     TAINT_NOT;
 
-                if(!val)
-                    val = &PL_sv_undef;
-
                 SvPADSTALE_off(*padentry);
                 SvSetMagicSV(*padentry, val);
             }

t/op/signatures.t

@@ -1589,6 +1589,22 @@ EOPERL
         'thread cloning during signature parse does not crash');
 }
 
+{
+    # https://github.com/Perl/perl5/pull/23871#discussion_r2488103875
+    $ENV{BAD} = "x";
+    fresh_perl_is(<<'CODE', "ok\n",
+no warnings "experimental::signature_named_parameters";
+use feature "signatures";
+sub foo (:$x, @y) {
+    print "ok\n";
+}
+foo("$ENV{BAD}");
+CODE
+                  {
+                   switches => [ "-t" ],
+                  }, "crash in named parameter handling");
+}
+
 done_testing;
 
 1;