I also haven't read the code yet but malloc free may simply mean the code doesn't call malloc but it can still allocate things on the heap using New.

This program appears to use heap allocation, at least indirectly through its use of std::string.

On a more general note, libraries that perform zero dynamic allocation (and instead require the library user to pass in memory) can be very convenient for systems programming where portability is a concern. For example, I use Intel XED instruction encoder/decoder, which is a library that performs no dynamic memory allocation. This allows me to use it in user space and kernel space without hijacking the malloc symbol.