Passing `length+1` to `MultiByteToWideChar()` means the function may
fill the whole buffer with output data, and could theoretically
overwrite the null terminator.  In practice, this will never happen,
but this way, it's slightly more correct.

Also, null-terminate after `MultiByteToWideChar()`, after we got the
real output length.  Again, this would never have been a problem, but
who knows...