shell: fix occasional subtraction overflow

On a specific document, the original function causes evince to crash with SIGILL when compiled with -fsanitize=signed-integer-overflow with clang (don't know about other compilers). This document seems to cause signed integer overflow in the original function, which is undefined behavior in C (and should be fixed regardless of the compiler flag mentioned above).