diff -r -u db-5.3.21_orig/src/mp/mp_stat.c db-5.3.21/src/mp/mp_stat.c

--- db-5.3.21_orig/src/mp/mp_stat.c	2012-05-12 01:57:53.000000000 +0800

+++ db-5.3.21/src/mp/mp_stat.c	2015-05-19 15:07:09.000000000 +0800

@@ -87,6 +87,13 @@

 	u_int32_t i;

 	uintmax_t tmp_wait, tmp_nowait;

+	/*

+	 * The array holding the lengths related to the buffer allocated for *fspp.

+	 * The first element of the array holds the number of entries allocated.

+	 * The second element of the array holds the total number of bytes allocated.

+	 */

+	u_int32_t fsp_len[2];

+

 	dbmp = env->mp_handle;

 	mp = dbmp->reginfo[0].primary;

@@ -193,32 +200,53 @@

 	if (fspp != NULL) {

 		*fspp = NULL;

-		/* Count the MPOOLFILE structures. */

-		i = 0;

-		len = 0;

-		if ((ret = __memp_walk_files(env,

-		     mp, __memp_count_files, &len, &i, flags)) != 0)

-			return (ret);

+		while (*fspp == NULL) {

+			/* Count the MPOOLFILE structures. */

+			i = 0;

+			/*

+			 * Allow space for the first __memp_get_files() to align the

+			 * structure array to uintmax_t, DB_MPOOL_STAT's most

+			 * restrictive field.  [#23150]

+			 */

+			len = sizeof(uintmax_t);

+			if ((ret = __memp_walk_files(env,

+			     mp, __memp_count_files, &len, &i, flags)) != 0)

+				return (ret);

+

+			if (i == 0)

+				return (0);

+

+			/* 

+			 * Copy the number of DB_MPOOL_FSTAT entries and the number of

+			 * bytes allocated for them into fsp_len. Do not count the space

+			 * reserved for allignment.

+			 */

+			fsp_len[0] = i;

+			fsp_len[1] = len - sizeof(uintmax_t);

-		if (i == 0)

-			return (0);

-		len += sizeof(DB_MPOOL_FSTAT *);	/* Trailing NULL */

+			len += sizeof(DB_MPOOL_FSTAT *);	/* Trailing NULL */

-		/* Allocate space */

-		if ((ret = __os_umalloc(env, len, fspp)) != 0)

-			return (ret);

+			/* Allocate space */

+			if ((ret = __os_umalloc(env, len, fspp)) != 0)

+				return (ret);

-		tfsp = *fspp;

-		*tfsp = NULL;

-

-		/*

-		 * Files may have been opened since we counted, don't walk

-		 * off the end of the allocated space.

-		 */

-		if ((ret = __memp_walk_files(env,

-		    mp, __memp_get_files, &tfsp, &i, flags)) != 0)

-			return (ret);

+			tfsp = *fspp;

+			*tfsp = NULL;

+			/*

+			 * Files may have been opened since we counted, if we walk off

+			 * the end of the allocated space specified in fsp_len, retry.

+			 */

+			if ((ret = __memp_walk_files(env,

+			    mp, __memp_get_files, &tfsp, fsp_len, flags)) != 0) {

+				if (ret == DB_BUFFER_SMALL) {

+					__os_ufree(env, *fspp);

+					*fspp = NULL;

+					tfsp = NULL;

+				} else

+					return (ret);

+			}

+		}

 		*++tfsp = NULL;

 	}

@@ -286,28 +314,35 @@

  * for the text file names.

  */

 static int

-__memp_get_files(env, mfp, argp, countp, flags)

+__memp_get_files(env, mfp, argp, fsp_len, flags)

 	ENV *env;

 	MPOOLFILE *mfp;

 	void *argp;

-	u_int32_t *countp;

+	u_int32_t fsp_len[];

 	u_int32_t flags;

 {

 	DB_MPOOL *dbmp;

 	DB_MPOOL_FSTAT **tfsp, *tstruct;

 	char *name, *tname;

-	size_t nlen;

+	size_t nlen, tlen;

-	if (*countp == 0)

-		return (0);

+	/* We walked through more files than argp was allocated for. */

+	if (fsp_len[0] == 0)

+		return DB_BUFFER_SMALL;

 	dbmp = env->mp_handle;

 	tfsp = *(DB_MPOOL_FSTAT ***)argp;

 	if (*tfsp == NULL) {

-		/* Add 1 to count because we need to skip over the NULL. */

-		tstruct = (DB_MPOOL_FSTAT *)(tfsp + *countp + 1);

-		tname = (char *)(tstruct + *countp);

+		/*

+		 * Add 1 to count because to skip over the NULL end marker.

+		 * Align it further for DB_MPOOL_STAT's most restrictive field

+		 * because uintmax_t might require stricter alignment than

+		 * pointers; e.g., IP32 LL64 SPARC. [#23150]

+		 */

+		tstruct = (DB_MPOOL_FSTAT *)&tfsp[fsp_len[0] + 1];

+		tstruct = ALIGNP_INC(tstruct, sizeof(uintmax_t));

+		tname = (char *)&tstruct[fsp_len[0]];

 		*tfsp = tstruct;

 	} else {

 		tstruct = *tfsp + 1;

@@ -317,6 +352,15 @@

 	name = __memp_fns(dbmp, mfp);

 	nlen = strlen(name) + 1;

+

+	/* The space required for file names is larger than argp was allocated for. */

+	tlen = sizeof(DB_MPOOL_FSTAT *) + sizeof(DB_MPOOL_FSTAT) + nlen;

+	if (fsp_len[1] < tlen)

+		return DB_BUFFER_SMALL;

+	else

+		/* Count down the number of bytes left in argp. */

+		fsp_len[1] -= tlen;

+

 	memcpy(tname, name, nlen);

 	memcpy(tstruct, &mfp->stat, sizeof(mfp->stat));

 	tstruct->file_name = tname;

@@ -325,7 +369,9 @@

 	tstruct->st_pagesize = mfp->pagesize;

 	*(DB_MPOOL_FSTAT ***)argp = tfsp;

-	(*countp)--;

+

+	/* Count down the number of entries left in argp. */

+	fsp_len[0]--;

 	if (LF_ISSET(DB_STAT_CLEAR))

 		memset(&mfp->stat, 0, sizeof(mfp->stat));

diff -r -u db-5.3.21_orig/src/mp/mp_sync.c db-5.3.21/src/mp/mp_sync.c

--- db-5.3.21_orig/src/mp/mp_sync.c	2012-05-12 01:57:53.000000000 +0800

+++ db-5.3.21/src/mp/mp_sync.c	2015-05-19 15:08:05.000000000 +0800

@@ -57,11 +57,13 @@

 			if ((t_ret = func(env,

 			    mfp, arg, countp, flags)) != 0 && ret == 0)

 				ret = t_ret;

-			if (ret != 0 && !LF_ISSET(DB_STAT_MEMP_NOERROR))

+			if (ret != 0 &&

+			    (!LF_ISSET(DB_STAT_MEMP_NOERROR) || ret == DB_BUFFER_SMALL))

 				break;

 		}

 		MUTEX_UNLOCK(env, hp->mtx_hash);

-		if (ret != 0 && !LF_ISSET(DB_STAT_MEMP_NOERROR))

+		if (ret != 0 &&

+		    (!LF_ISSET(DB_STAT_MEMP_NOERROR) || ret == DB_BUFFER_SMALL))

 			break;

 	}

 	return (ret);