Find it and CL did not provide any possible suspects.
Using Code Search for the file, "PartitionAllocator.h" assigning to the concern owner who might be related.

@palmer -- Could you please look into the issue, kindly re-assign if this is not related to your changes.
Thank You.

This is working as intended: the test case causes an insane/unsafe allocation size, and the CHECK_LE in the code detects that:

  template<typename T>
  static size_t maxElementCountInBackingStore() {
    return base::kGenericMaxDirectMapped / sizeof(T);
  }

  template <typename T>
  static size_t quantizedSize(size_t count) {
    CHECK_LE(count, maxElementCountInBackingStore<T>());
    return PartitionAllocActualSize(WTF::Partitions::bufferPartition(),
                                    count * sizeof(T));
  }

ClusterFuzz has detected this issue as fixed in range 476474:476520.

Detailed report: https://clusterfuzz.com/testcase?key=4788431998943232

Fuzzer: inferno_layout_test_unmodified
Job Type: linux_ubsan_vptr_chrome
Platform Id: linux

Crash Type: CHECK failure
Crash Address: 
Crash State:
  count <= base::kGenericMaxDirectMapped / sizeof(T) in PartitionAllocator.h
  blink::CSSTokenizer::CSSTokenizer
  blink::CSSParserImpl::parseStyleSheet
  
Sanitizer: undefined (UBSAN)

Regressed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=443258:443393
Fixed: https://clusterfuzz.com/revisions?job=linux_ubsan_vptr_chrome&range=476474:476520

Reproducer Testcase: https://clusterfuzz.com/download?testcase_id=4788431998943232


See https://dev.chromium.org/Home/chromium-security/bugs/reproducing-clusterfuzz-bugs for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.