[Bug] "index 219 is out of range for type 'u8 [65]' in hal_com_phycfg.c" found in fuzzing testing.

[sardChen]

When executing fuzzing test for rtl8812au, I found a bug in dmesg logs:

[ 2241.431846] audit: type=1107 audit(1730017609.846:69): pid=931 uid=102 auid=4294967295 ses=4294967295 subj=unconfined msg='apparmor="DENIED" operation="dbus_signal"  bus="system" path="/org/freedesktop/login1" interface="org.freedesktop.login1.Manager" member="SessionNew" name=":1.9" mask="receive" pid=4419 label="snap.firefox.firefox" peer_pid=1000 peer_label="unconfined"
                exe="/usr/bin/dbus-daemon" sauid=102 hostname=? addr=? terminal=?'
[ 2328.531310] device wlx00c0cab49354 entered promiscuous mode
[ 2359.415801] ================================================================================
[ 2359.415814] UBSAN: array-index-out-of-bounds in /home/sandy/workplace/wifiTest/driver/rtl8812au/hal/hal_com_phycfg.c:2288:49
[ 2359.415823] index 219 is out of range for type 'u8 [65]'
[ 2359.415828] CPU: 11 PID: 8837 Comm: owfuzz Tainted: G           OE     5.15.0-53-generic #59-Ubuntu
[ 2359.415835] Hardware name: Gigabyte Technology Co., Ltd. B660M GAMING AC DDR4/B660M GAMING AC DDR4, BIOS F4 01/17/2022
[ 2359.415839] Call Trace:
[ 2359.415842]  <TASK>
[ 2359.415846]  show_stack+0x52/0x5c
[ 2359.415857]  dump_stack_lvl+0x4a/0x63
[ 2359.415870]  dump_stack+0x10/0x16
[ 2359.415876]  ubsan_epilogue+0x9/0x49
[ 2359.415882]  __ubsan_handle_out_of_bounds.cold+0x44/0x49
[ 2359.415892]  PHY_GetTxPowerIndexBase+0xac1/0xcb0 [88XXau]
[ 2359.416064]  PHY_GetTxPowerIndex_8812A+0x7a/0x1c0 [88XXau]
[ 2359.416216]  rtw_hal_get_tx_power_index+0x1c/0x30 [88XXau]
[ 2359.416373]  phy_set_tx_power_level_by_path+0x11b/0x540 [88XXau]
[ 2359.416516]  phy_SwChnlAndSetBwMode8812+0xa7/0x230 [88XXau]
[ 2359.416660]  PHY_SetSwChnlBWMode8812+0x13b/0x160 [88XXau]
[ 2359.416790]  rtw_hal_set_chnl_bw+0xf5/0x180 [88XXau]
[ 2359.416946]  set_channel_bwmode+0xad/0x230 [88XXau]
[ 2359.417061]  ? usb_read_port+0x3550/0xbb10 [88XXau]
[ 2359.417213]  usb_read_port+0x35bc/0xbb10 [88XXau]
[ 2359.417342]  ioctl_standard_call+0x62/0x120
[ 2359.417350]  ? iw_handler_get_private+0x70/0x70
[ 2359.417357]  ? ioctl_standard_iw_point+0x3d0/0x3d0
[ 2359.417364]  wireless_process_ioctl+0x138/0x190
[ 2359.417371]  wext_handle_ioctl+0x13e/0x180
[ 2359.417377]  ? do_fault+0xa0/0x2e0
[ 2359.417385]  sock_ioctl+0x1db/0x310
[ 2359.417392]  ? __handle_mm_fault+0x405/0x6f0
[ 2359.417400]  __x64_sys_ioctl+0x92/0xd0
[ 2359.417409]  do_syscall_64+0x59/0xc0
[ 2359.417415]  ? handle_mm_fault+0xd8/0x2c0
[ 2359.417422]  ? do_user_addr_fault+0x1e7/0x670
[ 2359.417429]  ? exit_to_user_mode_prepare+0x37/0xb0
[ 2359.417437]  ? irqentry_exit_to_user_mode+0x9/0x20
[ 2359.417444]  ? irqentry_exit+0x1d/0x30
[ 2359.417450]  ? exc_page_fault+0x89/0x170
[ 2359.417456]  entry_SYSCALL_64_after_hwframe+0x61/0xcb
[ 2359.417465] RIP: 0033:0x7f759d978aff
[ 2359.417471] Code: 00 48 89 44 24 18 31 c0 48 8d 44 24 60 c7 04 24 10 00 00 00 48 89 44 24 08 48 8d 44 24 20 48 89 44 24 10 b8 10 00 00 00 0f 05 <41> 89 c0 3d 00 f0 ff ff 77 1f 48 8b 44 24 18 64 48 2b 04 25 28 00
[ 2359.417476] RSP: 002b:00007ffd5e58d730 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
[ 2359.417484] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f759d978aff
[ 2359.417488] RDX: 00007ffd5e58d7d0 RSI: 0000000000008b04 RDI: 0000000000000003
[ 2359.417491] RBP: 00007ffd5e58d800 R08: 0000000000000000 R09: 0034353339346261
[ 2359.417494] R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd5e58dc88
[ 2359.417497] R13: 0000564da4c581e9 R14: 0000564da4cf7938 R15: 00007f759dc33040
[ 2359.417502]  </TASK>
[ 2359.417504] ================================================================================

The vulnerability is shown in the following code: