VLC 3.0.7 was released a week ago (we still have 3.0.6 in the repositories), and it's main author claims "This release is a bit special, because it has more security issues fixed than any other version of VLC":

http://www.jbkempf.com/blog/post/2019/VLC-3.0.7-and-security

He specifically states that libfaad2 currently has no maintainer - hence I suggest backporting the fix or fixes from VLC's source tree. One example a quick search unearthed is this one:

https://git.videolan.org/?p=vlc.git;a=blob;f=contrib/src/faad2/faad2-fix-overflows.patch

On the Github mirror of libfaad2's SourceForge repository, there's a pull request with what seem to be additional security fixes:

https://github.com/knik0/faad2/pull/36

The VLC changelog lists 24 security fixes for VLC 3.0.7, 5 of which are described as fixing multiple vulnerabilites, and most of them seem to reference external dependencies (although I'm not sure which of those entries apply to external dependencies and which apply to the glue code through which VLC uses those dependencies):

https://www.videolan.org/developers/vlc-branch/NEWS