QCssParser: attempt to fix Coverity OVERRUN issue

Coverity complains, for each findKnownValue() call, that "forming the
address of the element at index numValues of buffer start requires the
index to be no more than the number of elements in the buffer", citing
QCss::NumKnownValues (e.g.) as the out-of-bound index.

Since it's complaining about the initialization of `start` in
findKnownValue(), I can only assume that it is bothered by the `+
numValues` (which moves the pointer out of range) followed by the - 1
(which brings it back into range), so make sure we subtract 1 before
adding to `start`.

That array + numValues would be considered outside the array
(incl. one-past-the-end) is highly irregular, and, AFAICT, caused by
the arrays not storing the resp. "unknown" entry at index 0,
effectively turning the arrays into Pascal (base-1) ones.

Shot in the dark (and a sign of poor/overly-strict deduction
capabilities in Coverity, if this is actually fixing the issue), but
worth a try.

Amends previous fix attempt 204b6c99089bcf7893be326e7d0076402b7abf0c.

Pick-to: 6.8 6.5 5.15
Coverity-Id: 183557
Coverity-Id: 183559
Coverity-Id: 183560
Coverity-Id: 183569
Coverity-Id: 183573
Coverity-Id: 183574
Coverity-Id: 183579
Coverity-Id: 183584
Coverity-Id: 183585
Coverity-Id: 183586
Coverity-Id: 183589
Task-number: QTBUG-83817
Change-Id: I3ad1f744986fe3223571a919b8a537c544ef314c
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
(cherry picked from commit 66081c52b5b4017ae141f8fa27bd082be1e79422)
Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>

src/gui/text/qcssparser.cpp

@@ -360,7 +360,7 @@ static bool operator<(const QCssKnownValue &prop, const QString &name)
 
 static quint64 findKnownValue(const QString &name, const QCssKnownValue *start, int numValues)
 {
-    const QCssKnownValue *end = start + numValues - 1;
+    const QCssKnownValue *end = start + (numValues - 1);
     const QCssKnownValue *prop = std::lower_bound(start, end, name);
     if ((prop == end) || (name < *prop))
         return 0;