unicode-decoder: fix out-of-band write in utf16
`WriteUtf16Slow` should not assume that the output buffer has enough
bytes to hold both words of surrogate pair. It should pass the number of
remaining bytes to the `Utf8::ValueOf` instead, just as we already do in
`Utf8DecoderBase::Reset`. Otherwise it will attempt to write the trail
uint16_t past the buffer boundary, leading to memory corruption and
possible crash.
Originally reported by: Kris Reeves <kris.re@bbhmedia.com>
BUG=v8:4274
R=danno
R=svenpanne
LOG=y
Review URL: https://codereview.chromium.org/
1226493003
Cr-Commit-Position: refs/heads/master@{#29485}