libsecp256k1 allows overflowing signatures

libsecp256k1 accepts signatures whose R or S parameter is larger than the
secp256k1 curve order, which differs from other implementations. This could
lead to invalid signatures being verified.

The error is resolved in 0.5.0 by adding a check_overflow flag.

See advisory page for additional details.