Fixes: out of bounds memory access in QImage autotest

A pointer to the data of one qimage is used, with an offset, in a copy.
In the mono case, that could lead to overflow: the last row would
of the copy would stretch 1 byte beyond the end of the allocated
area. Fix by reducing the height of the copy, so that it keeps
within the allocated memory.

Task-number: QTBUG-28322

Change-Id: I09abfc83f738f8af000fc50f8c94f63dba3a6cfe
Reviewed-by: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@digia.com>

1 files changed, 2 insertions, 2 deletions

diff --git a/tests/auto/gui/image/qimage/tst_qimage.cpp b/tests/auto/gui/image/qimage/tst_qimage.cpp
index 1b0dbf754b..9cebdf3114 100644
--- a/tests/auto/gui/image/qimage/tst_qimage.cpp
+++ b/tests/auto/gui/image/qimage/tst_qimage.cpp
@@ -773,7 +773,7 @@ void tst_QImage::convertToFormat()
     int dp = (src.depth() < 8 || result.depth() < 8) ? 8 : 1;
     QImage src2(src.bits() + (dp*src.depth())/8,
                 src.width() - dp*2,
-                src.height(), src.bytesPerLine(),
+                src.height() - 1, src.bytesPerLine(),
                 src.format());
     if (src.depth() < 8)
         src2.setColorTable(src.colorTable());
@@ -785,7 +785,7 @@ void tst_QImage::convertToFormat()
 
     QImage expected2(result.bits() + (dp*result.depth())/8,
                      result.width() - dp*2,
-                     result.height(), result.bytesPerLine(),
+                     result.height() - 1, result.bytesPerLine(),
                      result.format());
     if (result.depth() < 8)
         expected2.setColorTable(result.colorTable());