diff --git a/NEWS b/NEWS
index cbb64a53f27..b72270513f3 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,9 @@ PHP                                                                        NEWS
   . Fix GH-11492 (Make test failure: ext/pdo_sqlite/tests/bug_42589.phpt).
     (KapitanOczywisty, CViniciusSDias)
 
+- Phar:
+  . Add missing check on EVP_VerifyUpdate() in phar util. (nielsdos)
+
 - PHPDBG:
   . Fixed bug GH-9669 (phpdbg -h options doesn't list the -z option). (adsr)
 
diff --git a/ext/phar/util.c b/ext/phar/util.c
index d0e42762703..753c8d31b1f 100644
--- a/ext/phar/util.c
+++ b/ext/phar/util.c
@@ -1599,7 +1599,9 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			php_stream_seek(fp, 0, SEEK_SET);
 
 			while (read_size && (len = php_stream_read(fp, (char*)buf, read_size)) > 0) {
-				EVP_VerifyUpdate (md_ctx, buf, len);
+				if (UNEXPECTED(EVP_VerifyUpdate (md_ctx, buf, len) == 0)) {
+					goto failure;
+				}
 				read_len -= (zend_off_t)len;
 
 				if (read_len < read_size) {
@@ -1608,6 +1610,7 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			}
 
 			if (EVP_VerifyFinal(md_ctx, (unsigned char *)sig, sig_len, key) != 1) {
+				failure:
 				/* 1: signature verified, 0: signature does not match, -1: failed signature operation */
 				EVP_PKEY_free(key);
 				EVP_MD_CTX_destroy(md_ctx);