The 'grow' function returns -1 if we go past the maximum size limit. Consider the following line of code:
return( grow( buffer, grow( buffer, pos+1, max,depth-1), max,depth-1 ) );
Let's say the nested grow returns -1. The outer grow accepts it for 'pos' i.e. index to next location in the tree to grow. There is no check inside the function grow against (pos == -1). Thus, it would raise a run time exception if used.
The reason it may not have occurred so far may be that we reach the depth constraint earlier than the size limit.
Indeed Atif is right: since by default MAX_LEN is set to 10,000, in order for the bug to occur one needs to use very big initial maximum depths so that individuals with more than 10,000 nodes may be created.
The online version of TinyGP (available here) has a fix for this potential bug.
PS: In the original version of TinyGP, the code to perform point mutation replaced terminals with variables. This implied a bias in that random constants were actively removed from the population when mutation was switched on. Atif pointed this out to me recently. The current version of TinyGP does not have this bias.