From cf9c09694f6d9f59e245d2e6b2d9e2d375909441 Mon Sep 17 00:00:00 2001
From: Russell O'Connor <roconnor@blockstream.io>
Date: Thu, 4 Jul 2019 22:44:03 -0400
Subject: [PATCH] Improve VERIFY_CHECK of overflow in
 secp256k1_scalar_cadd_bit. This added check ensures that any curve order
 overflow doesn't go undetected due a uint32_t overflow.

---
 src/scalar_low_impl.h | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/scalar_low_impl.h b/src/scalar_low_impl.h
index 5dbc35604c..5499e3b715 100644
--- a/src/scalar_low_impl.h
+++ b/src/scalar_low_impl.h
@@ -40,6 +40,7 @@ static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int
     if (flag && bit < 32)
         *r += ((uint32_t)1 << bit);
 #ifdef VERIFY
+    VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER);
     VERIFY_CHECK(secp256k1_scalar_check_overflow(r) == 0);
 #endif
 }