I had a quick look at libass today regarding CVE-2016-7971.
When I read the discussion thread about this issue it looks like the problem is not only disputed upstream, but actually disputed by the person reporting the issue. Or rather the person reporting the issue has carified that the problem is not in libass but rather in the application using libass.
So if you do not mind I think we should both claim that the libass is not vulnerable and also close #840338.
If I do not hear an objection about this I will do so.