With the development of cyber-physical systems, system security faces more risks from cyber-attacks. In this work, we study the problem that an external attacker implements covert sensor and actuator attacks with resource constraints (the total resource consumption of the attacks is not greater than a given initial resource of the attacker) to mislead a discrete event system under supervisory control to reach unsafe states. We consider that the attacker can implement two types of attacks: One by modifying the sensor readings observed by a supervisor and the other by enabling the actuator commands disabled by the supervisor. Each attack has its corresponding resource consumption and remains covert. To solve this problem, we first introduce a notion of combined-attackability to determine whether a closed-loop system may reach an unsafe state after receiving attacks with resource constraints. We develop an algorithm to construct a corrupted supervisor under attacks, provide a verification method for combined-attackability in polynomial time based on a plant, a corrupted supervisor, and an attacker's initial resource, and propose a corresponding attack synthesis algorithm. The effectiveness of the proposed method is illustrated by an example.