Switch to a safer technique for obtaining the working directory on Windows

Instead of looping 8 times to work around the TOCTOU issue with sizing the current directory buffer, instead keep doubling the buffer up until the 32767 character limit until the result fits. This ensures we always get a working directory if GetWorkingDirectoryW didn't return some other error, rather than returning nil in the case of a race condition.

Author: jakepetroules

Sources/FoundationEssentials/FileManager/FileManager+Directories.swift

@@ -489,22 +489,10 @@ extension _FileManagerImpl {
 
     var currentDirectoryPath: String? {
 #if os(Windows)
-        var dwLength: DWORD = GetCurrentDirectoryW(0, nil)
-        guard dwLength > 0 else { return nil }
-
-        for _ in 0 ... 8 {
-            if let szCurrentDirectory = withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(dwLength), {
-                let dwResult: DWORD = GetCurrentDirectoryW(dwLength, $0.baseAddress)
-                if dwResult == dwLength - 1 {
-                    return String(decodingCString: $0.baseAddress!, as: UTF16.self)
-                }
-                dwLength = dwResult
-                return nil
-            }) {
-                return szCurrentDirectory
-            }
+        let initialSize = GetCurrentDirectoryW(0, nil)
+        return try? Win32FillNullTerminatedStringBuffer(initialSize: initialSize != 0 ? initialSize : DWORD(MAX_PATH), maxSize: DWORD(Int16.max)) {
+            GetCurrentDirectoryW(DWORD($0.count), $0.baseAddress)
         }
-        return nil
 #else
         withUnsafeTemporaryAllocation(of: CChar.self, capacity: FileManager.MAX_PATH_SIZE) { buffer in
             guard getcwd(buffer.baseAddress!, FileManager.MAX_PATH_SIZE) != nil else {

Sources/FoundationEssentials/WinSDK+Extensions.swift

@@ -288,4 +288,29 @@ internal func WIN32_FROM_HRESULT(_ hr: HRESULT) -> DWORD {
     return DWORD(hr)
 }
 
+internal func Win32FillNullTerminatedStringBuffer(initialSize: DWORD, maxSize: DWORD, _ attempt: (UnsafeMutableBufferPointer<WCHAR>) throws -> DWORD) throws -> String {
+    var bufferCount = max(1, min(initialSize, maxSize))
+    while bufferCount < maxSize {
+        if let result = try withUnsafeTemporaryAllocation(of: WCHAR.self, capacity: Int(bufferCount), { buffer in
+            let count = try attempt(buffer)
+            switch count {
+            case 0:
+                throw Win32Error(GetLastError())
+            case 1..<DWORD(buffer.count):
+                guard let result = String.decodeCString(buffer.baseAddress!, as: UTF16.self)?.result else {
+                    throw Win32Error(DWORD(ERROR_ILLEGAL_CHARACTER))
+                }
+                assert(result.utf16.count == count, "Parsed UTF-16 count \(result.utf16.count) != reported UTF-16 count \(count)")
+                return result
+            default:
+                bufferCount *= 2
+                return nil
+            }
+        }) {
+            return result
+        }
+    }
+    throw Win32Error(DWORD(ERROR_INSUFFICIENT_BUFFER))
+}
+
 #endif