"amax == 0 || a[amax] != 0"
Essentially, when decodepoint_ed() clears the top bit of the key, it
needs to call bn_restore_invariant() in case that left the high-order
word zero.
Bug found with the help of afl-fuzz.
/* Read x bit and then reset it */
negative = bignum_bit(point->y, point->curve->fieldBits - 1);
bignum_set_bit(point->y, point->curve->fieldBits - 1, 0);
+ bn_restore_invariant(point->y);
/* Get the x from the y */
point->x = ecp_edx(point->curve, point->y);