diff --git a/ChangeLog b/ChangeLog
index 08430f582..8756506e9 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -279,6 +279,8 @@ Features
      ciphersuite/certificate.
 
 Bugfix
+   * Fix bug in entropy.c when THREADING_C is also enabled that caused
+     entropy_free() to crash (found and fixed by ptahpeteh).
    * Stack buffer overflow if ctr_drbg_update() is called with too large
      add_len (found by Jean-Philippe Aumasson) (not triggerable remotely).
    * Possible buffer overflow of length at most POLARSSL_MEMORY_ALIGN_MULTIPLE
diff --git a/library/entropy.c b/library/entropy.c
index e41a593ca..3626d3468 100644
--- a/library/entropy.c
+++ b/library/entropy.c
@@ -94,10 +94,10 @@ void mbedtls_entropy_free( mbedtls_entropy_context *ctx )
 #if defined(MBEDTLS_HAVEGE_C)
     mbedtls_havege_free( &ctx->havege_data );
 #endif
-    mbedtls_zeroize( ctx, sizeof( mbedtls_entropy_context ) );
 #if defined(MBEDTLS_THREADING_C)
     mbedtls_mutex_free( &ctx->mutex );
 #endif
+    mbedtls_zeroize( ctx, sizeof( mbedtls_entropy_context ) );
 }
 
 int mbedtls_entropy_add_source( mbedtls_entropy_context *ctx,
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 896733739..3ecda0404 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1770,7 +1770,7 @@ static int x509_crt_verify_top(
 {
     int ret;
     uint32_t ca_flags = 0;
-    int check_path_cnt = path_cnt + 1;
+    int check_path_cnt;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     const mbedtls_md_info_t *md_info;
 
@@ -1801,8 +1801,10 @@ static int x509_crt_verify_top(
         if( x509_crt_check_parent( child, trust_ca, 1, path_cnt == 0 ) != 0 )
             continue;
 
+        check_path_cnt = path_cnt + 1;
+
         /*
-         * Reduce path_len to check against if top of the chain is
+         * Reduce check_path_cnt to check against if top of the chain is
          * the same as the trusted CA
          */
         if( child->subject_raw.len == trust_ca->subject_raw.len &&