diff --git a/lib/luks2/luks2_luks1_convert.c b/lib/luks2/luks2_luks1_convert.c
index 202849c6..21a58716 100644
--- a/lib/luks2/luks2_luks1_convert.c
+++ b/lib/luks2/luks2_luks1_convert.c
@@ -726,14 +726,14 @@ int LUKS2_luks2_to_luks1(struct crypt_device *cd, struct luks2_hdr *hdr2, struct
 	if (r < 0)
 		return r;
 
-	strncpy(hdr1->cipherName, cipher, sizeof(hdr1->cipherName));
-	strncpy(hdr1->cipherMode, cipher_mode, sizeof(hdr1->cipherMode));
+	strncpy(hdr1->cipherName, cipher, sizeof(hdr1->cipherName) - 1);
+	strncpy(hdr1->cipherMode, cipher_mode, sizeof(hdr1->cipherMode) - 1);
 
 	if (!json_object_object_get_ex(jobj_keyslot, "kdf", &jobj_kdf))
 		return -EINVAL;
 	if (!json_object_object_get_ex(jobj_kdf, "hash", &jobj1))
 		return -EINVAL;
-	strncpy(hdr1->hashSpec, json_object_get_string(jobj1), sizeof(hdr1->hashSpec));
+	strncpy(hdr1->hashSpec, json_object_get_string(jobj1), sizeof(hdr1->hashSpec) - 1);
 
 	hdr1->keyBytes = key_size;
 
diff --git a/lib/utils_device_locking.c b/lib/utils_device_locking.c
index 7d547559..78220221 100644
--- a/lib/utils_device_locking.c
+++ b/lib/utils_device_locking.c
@@ -169,15 +169,16 @@ static void release_lock_handle(struct crypt_lock_handle *h)
 	char res[PATH_MAX];
 	struct stat buf_a, buf_b;
 
-	/* coverity[toctou] */
 	if (S_ISBLK(h->mode) && /* was it block device */
 	    !flock(h->flock_fd, LOCK_EX | LOCK_NB) && /* lock to drop the file */
 	    !resource_by_devno(res, sizeof(res), h->devno, 1) && /* acquire lock resource name */
 	    !fstat(h->flock_fd, &buf_a) && /* read inode id refered by fd */
 	    !stat(res, &buf_b) && /* does path file stil exist? */
-	    same_inode(buf_a, buf_b)) /* is it same id as the one referenced by fd? */
+	    same_inode(buf_a, buf_b)) { /* is it same id as the one referenced by fd? */
+		/* coverity[toctou] */
 		if (unlink(res)) /* yes? unlink the file */
 			log_dbg("Failed to unlink resource file: %s", res);
+	}
 
 	if (close(h->flock_fd))
 		log_dbg("Failed to close resource fd (%d).", h->flock_fd);