The X.509 impl of CertificateFactory only parses X.509 blocks smaller than 16MB, i.e. when the length can be encoded in 3 octets. Now we have a customer whose CRL file is as big as 30MB.
Although we will fix this bug and support larger CRL files, parsing it consumes huge amount of memory. There might be some deeper problems in the DerInputStream or DerInputBuffer. That will be resolved in 6670894 (already added in See Also).