Check both lower and upper bound for tainted loop limit

In these cases, the lower bound is not that important, but coverity insists on it.

diff --git a/src/mathed/MathExtern.cpp b/src/mathed/MathExtern.cpp
index da43bd4e3508043ee7bc6a70801efc90598d470b..182a00971f1b57a90610d7dc71b8f27790751539 100644 (file)
--- a/src/mathed/MathExtern.cpp
+++ b/src/mathed/MathExtern.cpp
@@ -896,8 +896,8 @@ void extractDiff(MathData & ar)
                                int mult = 1;
                                if (extractNumber(script->up(), mult)) {
                                        //lyxerr << "mult: " << mult << endl;
-                                       if (mult > 1000) {
-                                               lyxerr << "Cannot differentiate more than 1000 times !" << endl;
+                                       if (mult < 0 || mult > 1000) {
+                                               lyxerr << "Cannot differentiate less than 0 or more than 1000 times !" << endl;
                                                continue;
                                        }
                                        for (int i = 0; i < mult; ++i)

diff --git a/src/mathed/MathParser.cpp b/src/mathed/MathParser.cpp
index 9bc5ff9362bbd8514eec8b83610ef2c9bcc05abb..6c04d625af8466eca9ded12a2da00e724a08b90a 100644 (file)
--- a/src/mathed/MathParser.cpp
+++ b/src/mathed/MathParser.cpp
@@ -1375,7 +1375,7 @@ bool Parser::parse1(InsetMathGrid & grid, unsigned flags,
                        parse(count, FLAG_ITEM, mode);
                        int cols;
                        // limit arbitrarily to 100 columns
-                       if (extractNumber(count, cols) && cols < 100) {
+                       if (extractNumber(count, cols) && cols > 0 && cols < 100) {
                                // resize the table if necessary
                                size_t first = grid.index(cellrow, cellcol);
                                for (int i = 1; i < cols; ++i) {