From 7b0e732eebd1951d8845c578c459dce60e98ce66 Mon Sep 17 00:00:00 2001
From: Jean-Marc Lasgouttes <jean-marc.lasgouttes@inria.fr>
Date: Wed, 5 Apr 2017 10:22:52 +0200
Subject: [PATCH] Check both lower and upper bound for tainted loop limit

In these cases, the lower bound is not that important, but coverity insists on it.
---
 src/mathed/MathExtern.cpp | 4 ++--
 src/mathed/MathParser.cpp | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/mathed/MathExtern.cpp b/src/mathed/MathExtern.cpp
index da43bd4e35..182a00971f 100644
--- a/src/mathed/MathExtern.cpp
+++ b/src/mathed/MathExtern.cpp
@@ -896,8 +896,8 @@ void extractDiff(MathData & ar)
 				int mult = 1;
 				if (extractNumber(script->up(), mult)) {
 					//lyxerr << "mult: " << mult << endl;
-					if (mult > 1000) {
-						lyxerr << "Cannot differentiate more than 1000 times !" << endl;
+					if (mult < 0 || mult > 1000) {
+						lyxerr << "Cannot differentiate less than 0 or more than 1000 times !" << endl;
 						continue;
 					}
 					for (int i = 0; i < mult; ++i)
diff --git a/src/mathed/MathParser.cpp b/src/mathed/MathParser.cpp
index 9bc5ff9362..6c04d625af 100644
--- a/src/mathed/MathParser.cpp
+++ b/src/mathed/MathParser.cpp
@@ -1375,7 +1375,7 @@ bool Parser::parse1(InsetMathGrid & grid, unsigned flags,
 			parse(count, FLAG_ITEM, mode);
 			int cols;
 			// limit arbitrarily to 100 columns
-			if (extractNumber(count, cols) && cols < 100) {
+			if (extractNumber(count, cols) && cols > 0 && cols < 100) {
 				// resize the table if necessary
 				size_t first = grid.index(cellrow, cellcol);
 				for (int i = 1; i < cols; ++i) {
-- 
2.39.2