Byte pdf = toPdf(file);
Here, a method creates a PDF file from some input and returns the binary PDF data as a byte array. This code expects that the generated file is small enough to adjust into the available heap memory.
If this code can not make this 100% sure, then it is vulnerable to an out of memory condition. Moreover, if this code is running server-side, which usually means numerous parallel threads — bulk data must never be handled with byte arrays. Streams should be used and the data should be spooled to disk or a database.
File pdf = to Pdf(file);
A similar anti-pattern is to buffer streaming input from an "untrusted" source, such as buffering data that arrives on a network socket. If the application doesn't know how much data will arrive, it must make sure that it keeps an eye on the amount of the data. If the volume of buffered data exceeds limits, an error condition (exception) should be signaled to the caller.