apetag: fix error handling in ff_ape_parse_tag()

The following error handling is broken due to signedness.

    int file_size;
    uint32_t tag_bytes;
    int64_t tag_start;
    ...
    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
    if (tag_start < 0) { ... }

Note that tag_bytes is unsigned, which makes the right-hand side of
`tag_start = ...' unsigned, too.  The 32-bit unsigned value is then
zero-extended to 64 bits.  Therefore, tag_start must be non-negative,
and the check (tag_start < 0) is always false, which breaks the error
handling.  This patch fixes the check.

Signed-off-by: Xi Wang <xi.wang@gmail.com>
Signed-off-by: Anton Khirnov <anton@khirnov.net>

libavformat/apetag.c

@@ -144,11 +144,11 @@ int64_t ff_ape_parse_tag(AVFormatContext *s)
         return 0;
     }
 
-    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
-    if (tag_start < 0) {
+    if (tag_bytes > file_size - APE_TAG_FOOTER_BYTES) {
         av_log(s, AV_LOG_ERROR, "Invalid tag size %u.\n", tag_bytes);
         return 0;
     }
+    tag_start = file_size - tag_bytes - APE_TAG_FOOTER_BYTES;
 
     fields = avio_rl32(pb);    /* number of fields */
     if (fields > 65536) {