- Increase robustness against UB.
Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour.
While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
- Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit.
This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
This is a backport of libsecp256k1 PR647