diff --git a/0001-repo-NUL-terminate-readlinkat-result.patch b/0001-repo-NUL-terminate-readlinkat-result.patch
new file mode 100644
index 0000000..e2b2de7
--- /dev/null
+++ b/0001-repo-NUL-terminate-readlinkat-result.patch
@@ -0,0 +1,52 @@
+From 6756841a7d04c3cc651a1ce7de35c55c754578d3 Mon Sep 17 00:00:00 2001
+From: Colin Walters <walters@verbum.org>
+Date: Mon, 29 Jul 2024 15:17:10 -0400
+Subject: [PATCH 1/1] repo: NUL terminate readlinkat result
+
+Coverity was correctly complaining about this.
+
+Signed-off-by: Colin Walters <walters@verbum.org>
+---
+ src/libostree/ostree-repo-commit.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/libostree/ostree-repo-commit.c b/src/libostree/ostree-repo-commit.c
+index 4d12d5ec..db83ebf2 100644
+--- a/src/libostree/ostree-repo-commit.c
++++ b/src/libostree/ostree-repo-commit.c
+@@ -794,7 +794,7 @@ _try_clone_from_payload_link (OstreeRepo *self, OstreeRepo *dest_repo, const cha
+       glnx_autofd int fdf = -1;
+       char loose_path_buf[_OSTREE_LOOSE_PATH_MAX];
+       char loose_path_target_buf[_OSTREE_LOOSE_PATH_MAX];
+-      char target_buf[_OSTREE_LOOSE_PATH_MAX + _OSTREE_PAYLOAD_LINK_PREFIX_LEN];
++      char target_buf[_OSTREE_LOOSE_PATH_MAX + _OSTREE_PAYLOAD_LINK_PREFIX_LEN + 1];
+       char target_checksum[OSTREE_SHA256_STRING_LEN + 1];
+       int dfd = dfd_searches[i];
+       ssize_t size;
+@@ -804,16 +804,21 @@ _try_clone_from_payload_link (OstreeRepo *self, OstreeRepo *dest_repo, const cha
+       _ostree_loose_path (loose_path_buf, payload_checksum, OSTREE_OBJECT_TYPE_PAYLOAD_LINK,
+                           self->mode);
+ 
+-      size = TEMP_FAILURE_RETRY (readlinkat (dfd, loose_path_buf, target_buf, sizeof (target_buf)));
++      size = TEMP_FAILURE_RETRY (
++          readlinkat (dfd, loose_path_buf, target_buf, sizeof (target_buf) - 1));
+       if (size < 0)
+         {
+           if (errno == ENOENT)
+             continue;
+           return glnx_throw_errno_prefix (error, "readlinkat");
+         }
++      target_buf[size] = '\0';
+ 
++      const size_t expected_len = OSTREE_SHA256_STRING_LEN + _OSTREE_PAYLOAD_LINK_PREFIX_LEN;
+       if (size < OSTREE_SHA256_STRING_LEN + _OSTREE_PAYLOAD_LINK_PREFIX_LEN)
+-        return glnx_throw (error, "invalid data size for %s", loose_path_buf);
++        return glnx_throw (error, "invalid data size for %s; expected=%llu found=%llu",
++                           loose_path_buf, (unsigned long long)expected_len,
++                           (unsigned long long)size);
+ 
+       snprintf (target_checksum, size, "%.2s%.62s", target_buf + _OSTREE_PAYLOAD_LINK_PREFIX_LEN,
+                 target_buf + _OSTREE_PAYLOAD_LINK_PREFIX_LEN + 3);
+-- 
+2.45.2
+
diff --git a/ostree.spec b/ostree.spec
index ea422d6..3a24de2 100644
--- a/ostree.spec
+++ b/ostree.spec
@@ -13,6 +13,8 @@ Source0: https://github.com/ostreedev/%{name}/releases/download/v%{version}/libo
 License: LGPL-2.0-or-later
 URL: https://ostree.readthedocs.io/en/latest/
 
+Patch0: 0001-repo-NUL-terminate-readlinkat-result.patch
+
 # Conditional to ELN right now to reduce blast radius; xref
 # https://github.com/containers/composefs/pull/229#issuecomment-1838735764
 %if 0%{?rhel} >= 10