ERROR: index out of range while parsing attribute (?)

[jonas-koeritz]

I am working with a velociraptor offline collector and go-ntfs seems to break on my machine reproducible. I haven't done a deep dive into the code yet but this is my stack-trace. There seems to be an off by one error or similar thing happening.

panic: runtime error: index out of range [216] with length 216

goroutine 389 [running]:
www.velocidex.com/golang/go-ntfs/parser.(*NTFS_ATTRIBUTE).RunList(0xc003080ba0)
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/parser/attribute.go:158 +0x313
www.velocidex.com/golang/go-ntfs/parser.joinAllVCNs(0xc00bf20360, {0xc001646100?, 0x3, 0x4})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/parser/easy.go:393 +0x1d3
www.velocidex.com/golang/go-ntfs/parser.OpenStream(0xc00bf20360?, 0xc0015d5980?, 0xc00263e180?, 0xea1a?)
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/parser/easy.go:356 +0x207
www.velocidex.com/golang/velociraptor/accessors/ntfs.(*MFTFileSystemAccessor).OpenWithOSPath(0xc00263c4f0, 0xc0006d6ea0?)
        /velociraptor-build/velociraptor/accessors/ntfs/mft.go:139 +0x127
www.velocidex.com/golang/velociraptor/vql/filesystem.(*ReadFileFunction).Call(0xc000ee7ae0?, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?}, 0x2149a20?)
        /velociraptor-build/velociraptor/vql/filesystem/filesystem.go:353 +0x2eb
www.velocidex.com/golang/vfilter.(*_SymbolRef).callFunction(0xc0011600c0, {0x26c1e20?, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0}, {0x26b76e8?, 0x34ff2d0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1691 +0x583
www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc0011600c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1545 +0x1c6
www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cc00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6ea0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1433 +0x14f
www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc001a55e00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1120 +0x56
www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc001a55e40, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1369 +0x53
www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc001a55e80, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1284 +0x53
www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe1410, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1322 +0x85
www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000592040, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1246 +0x56
www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000592200, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1214 +0x4a
www.velocidex.com/golang/vfilter.(*_AliasedExpression).Reduce(0x0?, {0x26c1e20?, 0xc0013e4880?}, {0x26dc670?, 0xc0006d6ea0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:679 +0x9f
www.velocidex.com/golang/vfilter.(*_SelectExpression).Transform.func2({0x26c1e20, 0xc0013e4880}, {0xc00690c330?, 0xa?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:916 +0x5b
www.velocidex.com/golang/vfilter.(*LazyRowImpl).Get(0xc0001c8e00, {0xc00690c330, 0xa})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/lazy.go:60 +0x7d
www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x1ecd480?, 0xc0001c8e00}, {0x1d97a20?, 0xc00263c130?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/protocols/protocol_associative.go:52 +0x3f5
www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(...)
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/scope/scope.go:276
www.velocidex.com/golang/vfilter/scope.(*Scope).Resolve(0xc0006d6fc0, {0xc00690c330, 0xa})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/scope/scope.go:551 +0x176
www.velocidex.com/golang/vfilter/protocols.(*AssociativeDispatcher).Associative(0xc002252f98, {0x26dc670, 0xc0006d6fc0}, {0x2149a20?, 0xc0006d6fc0}, {0x1d97a20?, 0xc00263c120?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/protocols/protocol_associative.go:46 +0x482
www.velocidex.com/golang/vfilter/scope.(*Scope).Associative(0xc00690c330?, {0x2149a20?, 0xc0006d6fc0?}, {0x1d97a20?, 0xc00263c120?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/scope/scope.go:276 +0x53
www.velocidex.com/golang/vfilter.(*_SymbolRef).getFunction(0xc001161f80, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1505 +0x4de
www.velocidex.com/golang/vfilter.(*_SymbolRef).Reduce(0xc001161f80, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1534 +0x65
www.velocidex.com/golang/vfilter.(*_Value).Reduce(0xc00034cd00, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1433 +0x14f
www.velocidex.com/golang/vfilter.(*_MemberExpression).Reduce(0xc000592740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1120 +0x56
www.velocidex.com/golang/vfilter.(*_MultiplicationExpression).Reduce(0xc000592780, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1369 +0x53
www.velocidex.com/golang/vfilter.(*_AdditionExpression).Reduce(0xc000592a00, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1284 +0x53
www.velocidex.com/golang/vfilter.(*_ConditionOperand).Reduce(0xc001fe15c0, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1322 +0x85
www.velocidex.com/golang/vfilter.(*_OrExpression).Reduce(0xc000a6e740, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1246 +0x56
www.velocidex.com/golang/vfilter.(*_AndExpression).Reduce(0xc000a6e800, {0x26c1e20, 0xc0013e4880}, {0x26dc670?, 0xc0006d6fc0?})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1214 +0x4a
www.velocidex.com/golang/vfilter.(*_CommaExpression).Reduce(0xc000a6eac0, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0006d6fc0})
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:1177 +0x5a
www.velocidex.com/golang/vfilter.(*_Select).processSingleRow(0xc001393220, {0x26c1e20, 0xc0013e4880}, {0x26dc670, 0xc0011a7680}, {0x2113680, 0xc0021cb180}, 0xc0020650e0)
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:585 +0x229
www.velocidex.com/golang/vfilter.(*_Select).Eval.func3()
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:548 +0xe5
created by www.velocidex.com/golang/vfilter.(*_Select).Eval
        /go/pkg/mod/www.velocidex.com/golang/[email protected]/vfilter.go:533 +0x2ca