9c7de0bd83bc6e1876dc0b8b7091127629a07bf0
chmalee
  Thu Mar 5 14:32:25 2026 -0800
Fix array size bounds check for /getData/track endpoint to actually limit to 100 requested tracks

diff --git src/hg/hubApi/dataApi.h src/hg/hubApi/dataApi.h
index a741786bec9..449e32d141c 100644
--- src/hg/hubApi/dataApi.h
+++ src/hg/hubApi/dataApi.h
@@ -111,30 +111,33 @@
 extern char *argFindGenome[];
 extern char *argLiftOver[];
 extern char *argLiftRequest[];
 
 /* maximum number of words expected in PATH_INFO parsing
  *   so far only using 2
  */
 #define MAX_PATH_INFO 32
 
 /* maximum amount of DNA allowed in a get sequence request */
 #define MAX_DNA_LENGTH	499999999
 /* this size is directly related to the max limit in needMem used in
  * jsonWriteString
  */
 
+/* Maximum number of comma sep tracks that can be requested by /getData/track */
+#define MAX_NUM_TRACKS 100
+
 extern long enteredMainTime;	/* will become = clock1000() on entry */
 
 /* limit amount of output to a maximum to avoid overload */
 extern int maxItemsOutput;	/* can be set in URL maxItemsOutput=N */
 extern long long itemsReturned;	/* for getData functions, number of items returned */
 extern boolean reachedMaxItems;	/* during getData, signal to return */
 
 /* downloadUrl for use in error exits when reachedMaxItems */
 extern struct dyString *downloadUrl;
 
 /* supportedTypes will be initialized to a known supported set */
 extern struct slName *supportedTypes;
 
 /* for debugging purpose, current bot delay value */
 extern int botDelay;