rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)

rar4 reader: protect copy_from_lzss_window_to_unp() (#2172)

copy_from_lzss_window_to_unp unnecessarily took an `int` parameter where
both of its callers were holding a `size_t`.

A lzss opcode chain could be constructed that resulted in a negative
copy length, which when passed into memcpy would result in a very, very
large positive number.

Switching copy_from_lzss_window_to_unp to take a `size_t` allows it to
properly bounds-check length.

In addition, this patch also ensures that `length` is not itself larger
than the destination buffer.

Security: CVE-2024-20696