icu: CVE-2014-8146-CVE-2014-8147

CVE-2014-8146 icu: heap overflow via incorrect isolateCount
CVE-2014-8147 icu: integer truncation in the resolveImplicitLevels function

References:
[1] https://github.com/pedrib/PoC/raw/master/generic/i-c-u-fail.7z
[2] https://www.kb.cert.org/vuls/id/602540
[3] http://bugs.icu-project.org/trac/changeset/37080
[4] http://bugs.icu-project.org/trac/changeset/37162

Upstream-Status: Backport

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
diff -ruN a/common/ubidi.c b/common/ubidi.c
--- a/common/ubidi.c	2014-10-03 18:11:20.000000000 +0200
+++ b/common/ubidi.c	2015-08-28 08:22:39.455906194 +0200
@@ -2138,7 +2138,7 @@
     /* The isolates[] entries contain enough information to
        resume the bidi algorithm in the same state as it was
        when it was interrupted by an isolate sequence. */
-    if(dirProps[start]==PDI) {
+    if(dirProps[start]==PDI  && pBiDi->isolateCount >= 0) {
         levState.startON=pBiDi->isolates[pBiDi->isolateCount].startON;
         start1=pBiDi->isolates[pBiDi->isolateCount].start1;
         stateImp=pBiDi->isolates[pBiDi->isolateCount].stateImp;
diff -ruN a/common/ubidiimp.h b/common/ubidiimp.h
--- a/common/ubidiimp.h	2014-10-03 18:11:16.000000000 +0200
+++ b/common/ubidiimp.h	2015-08-28 08:28:24.069163845 +0200
@@ -1,7 +1,7 @@
 /*
 ******************************************************************************
 *
-*   Copyright (C) 1999-2014, International Business Machines
+*   Copyright (C) 1999-2015, International Business Machines
 *   Corporation and others.  All Rights Reserved.
 *
 ******************************************************************************
@@ -184,8 +184,8 @@
 typedef struct Isolate {
     int32_t startON;
     int32_t start1;
+    int32_t state;
     int16_t stateImp;
-    int16_t state;
 } Isolate;

 typedef struct Run {