diff --git a/common/os_calls.c b/common/os_calls.c
index ff1182b28b..014f585658 100644
--- a/common/os_calls.c
+++ b/common/os_calls.c
@@ -1805,7 +1805,7 @@ g_set_wait_obj(tintptr obj)
         return 0;
     }
     fd = obj >> 16;
-    to_write = 4;
+    to_write = sizeof(buf);
     written = 0;
     while (written < to_write)
     {
@@ -1823,12 +1823,13 @@ g_set_wait_obj(tintptr obj)
                 return 1;
             }
         }
-        else if (error > 0)
+        else if (error > 0 && error <= (int)sizeof(buf))
         {
             written += error;
         }
         else
         {
+            // Shouldn't get here.
             return 1;
         }
     }
@@ -2297,15 +2298,27 @@ g_file_set_cloexec(int fd, int status)
 struct list *
 g_get_open_fds(int min, int max)
 {
+    if (min < 0)
+    {
+        min = 0;
+    }
+
     struct list *result = list_create();
 
     if (result != NULL)
     {
         if (max < 0)
         {
-            max = sysconf(_SC_OPEN_MAX);
+            // sysconf() returns a long. Limit it to a sane value
+#define SANE_MAX 100000
+            long sc_max = sysconf(_SC_OPEN_MAX);
+            max = (sc_max < 0) ? 0 :
+                  (sc_max > (long)SANE_MAX) ? SANE_MAX :
+                  sc_max;
+#undef SANE_MAX
         }
 
+        // max and min are now both guaranteed to be >= 0
         if (max > min)
         {
             struct pollfd *fds = g_new0(struct pollfd, max - min);
diff --git a/common/string_calls.c b/common/string_calls.c
index dca5bc150e..0806ed6ea8 100644
--- a/common/string_calls.c
+++ b/common/string_calls.c
@@ -444,6 +444,7 @@ g_atoix(const char *str)
         str += 2;
         base = 16;
     }
+    //coverity[OVERRUN:FALSE]
     return strtol(str, NULL, base);
 }
 
diff --git a/libipm/libipm_recv.c b/libipm/libipm_recv.c
index 5842a1e0d0..5828e0ebf1 100644
--- a/libipm/libipm_recv.c
+++ b/libipm/libipm_recv.c
@@ -135,7 +135,7 @@ libipm_msg_in_check_available(struct trans *trans, int *available)
 enum libipm_status
 libipm_msg_in_wait_available(struct trans *trans)
 {
-    tbus wobj[1];
+    tbus wobj[2]; // trans_get_wait_objs() can return at most 2 elements
     int ocnt = 0;
     enum libipm_status rv = E_LI_SUCCESS;
 
diff --git a/sesman/sesexec/session.c b/sesman/sesexec/session.c
index 13ac7f3596..5a20a5f0b2 100644
--- a/sesman/sesexec/session.c
+++ b/sesman/sesexec/session.c
@@ -495,9 +495,6 @@ start_x_server(struct login_info *login_info,
                 unknown_session_type = 1;
         }
 
-        g_free(passwd_file);
-        passwd_file = NULL;
-
         if (xserver_params == NULL)
         {
             LOG(LOG_LEVEL_ERROR, "Out of memory allocating X server params");
@@ -520,6 +517,7 @@ start_x_server(struct login_info *login_info,
     }
 
     /* should not get here */
+    g_free(passwd_file);
     list_delete(xserver_params);
     LOG(LOG_LEVEL_ERROR, "A fatal error has occurred attempting "
         "to start the X server on display %u, aborting connection",