shell: fix occasional subtraction overflow
On a specific document, the original function causes evince
to crash
with SIGILL when compiled with -fsanitize=signed-integer-overflow
with
clang (don't know about other compilers). This document seems to cause
signed integer overflow in the original function, which is undefined
behavior in C (and should be fixed regardless of the compiler flag
mentioned above).