Chances are you're using tools and languages in a production setting
which have "snarf file as string" functions in their run-time libraries
that they are happily using.
The shell syntax "`$(cat file)" will grab the entire file and turn it into
a word interpolated into the command line; it takes no argument on
limiting the size, and you see it in system shell scripts all the time.
Just because the code is "in production" doesn't mean that the input is
controlled by a malicious user who is trying to bring down the
application.
If your code processes a stream in its entirety, it's may be open to a
DoS, even if it doesn't buffer all of it. It might not run out of
memory, but it will be stuck there reading the stream. The malicious
user just feeds a really large stream, perhaps an infinite one. Or a
small amount of input, but at a glacial pace, like one byte at a time,
with five minutes in between. (Anti-spam "honey pot" mail servers
do this sort of things to suspected spammer connections.)
To be completely paranoid, you need timeouts everywhere.
--
TXR Programming Language:
http://nongnu.org/txr
Cygnal: Cygwin Native Application Library:
http://kylheku.com/cygnal