Amount of memory allocated during memory reallocation in the shaper wasn't tracked, possibly resulting in undefined behavior (CVE-2016-7972).
Illegal read in Gaussian blur coefficient calculations (CVE-2016-7970).
Mode 0/3 line wrapping equalization in specific cases could result in illegal reads while laying out and shaping text. (CVE-2016-7969)
The libass package has been updated to version 0.13.4, fixing this issue and several other bugs.