diff -r -u db-5.3.21_orig/src/mp/mp_stat.c db-5.3.21/src/mp/mp_stat.c
--- db-5.3.21_orig/src/mp/mp_stat.c	2012-05-12 01:57:53.000000000 +0800
+++ db-5.3.21/src/mp/mp_stat.c	2015-05-19 15:07:09.000000000 +0800
@@ -87,6 +87,13 @@
 	u_int32_t i;
 	uintmax_t tmp_wait, tmp_nowait;
 
+	/*
+	 * The array holding the lengths related to the buffer allocated for *fspp.
+	 * The first element of the array holds the number of entries allocated.
+	 * The second element of the array holds the total number of bytes allocated.
+	 */
+	u_int32_t fsp_len[2];
+
 	dbmp = env->mp_handle;
 	mp = dbmp->reginfo[0].primary;
 
@@ -193,32 +200,53 @@
 	if (fspp != NULL) {
 		*fspp = NULL;
 
-		/* Count the MPOOLFILE structures. */
-		i = 0;
-		len = 0;
-		if ((ret = __memp_walk_files(env,
-		     mp, __memp_count_files, &len, &i, flags)) != 0)
-			return (ret);
+		while (*fspp == NULL) {
+			/* Count the MPOOLFILE structures. */
+			i = 0;
+			/*
+			 * Allow space for the first __memp_get_files() to align the
+			 * structure array to uintmax_t, DB_MPOOL_STAT's most
+			 * restrictive field.  [#23150]
+			 */
+			len = sizeof(uintmax_t);
+			if ((ret = __memp_walk_files(env,
+			     mp, __memp_count_files, &len, &i, flags)) != 0)
+				return (ret);
+
+			if (i == 0)
+				return (0);
+
+			/* 
+			 * Copy the number of DB_MPOOL_FSTAT entries and the number of
+			 * bytes allocated for them into fsp_len. Do not count the space
+			 * reserved for allignment.
+			 */
+			fsp_len[0] = i;
+			fsp_len[1] = len - sizeof(uintmax_t);
 
-		if (i == 0)
-			return (0);
-		len += sizeof(DB_MPOOL_FSTAT *);	/* Trailing NULL */
+			len += sizeof(DB_MPOOL_FSTAT *);	/* Trailing NULL */
 
-		/* Allocate space */
-		if ((ret = __os_umalloc(env, len, fspp)) != 0)
-			return (ret);
+			/* Allocate space */
+			if ((ret = __os_umalloc(env, len, fspp)) != 0)
+				return (ret);
 
-		tfsp = *fspp;
-		*tfsp = NULL;
-
-		/*
-		 * Files may have been opened since we counted, don't walk
-		 * off the end of the allocated space.
-		 */
-		if ((ret = __memp_walk_files(env,
-		    mp, __memp_get_files, &tfsp, &i, flags)) != 0)
-			return (ret);
+			tfsp = *fspp;
+			*tfsp = NULL;
 
+			/*
+			 * Files may have been opened since we counted, if we walk off
+			 * the end of the allocated space specified in fsp_len, retry.
+			 */
+			if ((ret = __memp_walk_files(env,
+			    mp, __memp_get_files, &tfsp, fsp_len, flags)) != 0) {
+				if (ret == DB_BUFFER_SMALL) {
+					__os_ufree(env, *fspp);
+					*fspp = NULL;
+					tfsp = NULL;
+				} else
+					return (ret);
+			}
+		}
 		*++tfsp = NULL;
 	}
 
@@ -286,28 +314,35 @@
  * for the text file names.
  */
 static int
-__memp_get_files(env, mfp, argp, countp, flags)
+__memp_get_files(env, mfp, argp, fsp_len, flags)
 	ENV *env;
 	MPOOLFILE *mfp;
 	void *argp;
-	u_int32_t *countp;
+	u_int32_t fsp_len[];
 	u_int32_t flags;
 {
 	DB_MPOOL *dbmp;
 	DB_MPOOL_FSTAT **tfsp, *tstruct;
 	char *name, *tname;
-	size_t nlen;
+	size_t nlen, tlen;
 
-	if (*countp == 0)
-		return (0);
+	/* We walked through more files than argp was allocated for. */
+	if (fsp_len[0] == 0)
+		return DB_BUFFER_SMALL;
 
 	dbmp = env->mp_handle;
 	tfsp = *(DB_MPOOL_FSTAT ***)argp;
 
 	if (*tfsp == NULL) {
-		/* Add 1 to count because we need to skip over the NULL. */
-		tstruct = (DB_MPOOL_FSTAT *)(tfsp + *countp + 1);
-		tname = (char *)(tstruct + *countp);
+		/*
+		 * Add 1 to count because to skip over the NULL end marker.
+		 * Align it further for DB_MPOOL_STAT's most restrictive field
+		 * because uintmax_t might require stricter alignment than
+		 * pointers; e.g., IP32 LL64 SPARC. [#23150]
+		 */
+		tstruct = (DB_MPOOL_FSTAT *)&tfsp[fsp_len[0] + 1];
+		tstruct = ALIGNP_INC(tstruct, sizeof(uintmax_t));
+		tname = (char *)&tstruct[fsp_len[0]];
 		*tfsp = tstruct;
 	} else {
 		tstruct = *tfsp + 1;
@@ -317,6 +352,15 @@
 
 	name = __memp_fns(dbmp, mfp);
 	nlen = strlen(name) + 1;
+
+	/* The space required for file names is larger than argp was allocated for. */
+	tlen = sizeof(DB_MPOOL_FSTAT *) + sizeof(DB_MPOOL_FSTAT) + nlen;
+	if (fsp_len[1] < tlen)
+		return DB_BUFFER_SMALL;
+	else
+		/* Count down the number of bytes left in argp. */
+		fsp_len[1] -= tlen;
+
 	memcpy(tname, name, nlen);
 	memcpy(tstruct, &mfp->stat, sizeof(mfp->stat));
 	tstruct->file_name = tname;
@@ -325,7 +369,9 @@
 	tstruct->st_pagesize = mfp->pagesize;
 
 	*(DB_MPOOL_FSTAT ***)argp = tfsp;
-	(*countp)--;
+
+	/* Count down the number of entries left in argp. */
+	fsp_len[0]--;
 
 	if (LF_ISSET(DB_STAT_CLEAR))
 		memset(&mfp->stat, 0, sizeof(mfp->stat));
diff -r -u db-5.3.21_orig/src/mp/mp_sync.c db-5.3.21/src/mp/mp_sync.c
--- db-5.3.21_orig/src/mp/mp_sync.c	2012-05-12 01:57:53.000000000 +0800
+++ db-5.3.21/src/mp/mp_sync.c	2015-05-19 15:08:05.000000000 +0800
@@ -57,11 +57,13 @@
 			if ((t_ret = func(env,
 			    mfp, arg, countp, flags)) != 0 && ret == 0)
 				ret = t_ret;
-			if (ret != 0 && !LF_ISSET(DB_STAT_MEMP_NOERROR))
+			if (ret != 0 &&
+			    (!LF_ISSET(DB_STAT_MEMP_NOERROR) || ret == DB_BUFFER_SMALL))
 				break;
 		}
 		MUTEX_UNLOCK(env, hp->mtx_hash);
-		if (ret != 0 && !LF_ISSET(DB_STAT_MEMP_NOERROR))
+		if (ret != 0 &&
+		    (!LF_ISSET(DB_STAT_MEMP_NOERROR) || ret == DB_BUFFER_SMALL))
 			break;
 	}
 	return (ret);