FWIW, there are two Harfbuzzes: the old one that is derived from Qt code that many people have collaborated and hammered on over the years, and the new one that Mozilla uses that was rewritten from scratch by one person. The new one is likely better-written overall (the author generally knows what he's doing), but it's not really true that Harfbuzz (as Mozilla uses it) has been collaborated on by many parties or has had as much (or any) security analysis.
(I worked on relevant pieces of Chrome, which has has a bunch of security issues due to bugs in the older, presumably more vetted, Harfbuzz, so I don't have a lot of confidence of code in this area. Lots of indexing into arrays.)
(I worked on relevant pieces of Chrome, which has has a bunch of security issues due to bugs in the older, presumably more vetted, Harfbuzz, so I don't have a lot of confidence of code in this area. Lots of indexing into arrays.)